HIGHCVE-2026-29181Published 2026-04-07Modified 2026-04-08CNA GitHub_M

CVE-2026-29181: OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

open-telemetry / opentelemetry-go
>= 1.36.0, < 1.41.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475

Metrics