How is CVE-2026-44902 exploited?

Network reachability (required): The attacker must reach the Prometheus metrics endpoint over the network; by default it binds to 0.0.0.0:9464 and is accessible from any reachable host. Authentication (not-required): The metrics endpoint requires no credentials, so any client that can open a TCP connection can send the malformed request. Victim interaction (not-required): No user or operator action is needed; the crash is triggered entirely by the inbound HTTP request. Attack complexity (info): Exploitation is reliable and condition-free: a single crafted request with a malformed URI consistently triggers the uncaught TypeError regardless of environment state.

What is the impact of CVE-2026-44902?

The targeted Node.js process is terminated immediately, taking down every service or workload running inside that process. Any in-flight requests or background jobs running in the same process are dropped without completing. If the process is not automatically restarted, the metrics pipeline goes dark, removing observability coverage for the affected service.

Back to search

HIGHCVE-2026-44902Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-44902: opentelemetry-js: Prometheus exporter process crash via malformed HTTP request

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. This vulnerability is fixed in 0.217.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a denial-of-service vulnerability in the OpenTelemetry JavaScript client's Prometheus exporter. A remote attacker with no authentication can send a single malformed HTTP request with an invalid URI to the metrics endpoint (default port 9464), triggering an uncaught TypeError that terminates the entire Node.js process. Successful exploitation crashes the host process, taking down any application relying on it. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-44902 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including internally built images that bundle opentelemetry-js, exporter-prometheus, sdk-node, or auto-instrumentations-node.

Available

Triage

Triage is available through HarborGuard's scoring pipeline, which surfaces this CVE at its CVSS v3.1 score of 7.5 (HIGH) and weights it against each customer environment's compliance policy to prioritize routing. Findings are delivered to the inbox or ticketing integration configured for each team inside the customer org.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the meantime, customers with compensating-control policies can apply network-level isolation to restrict access to port 9464 through HarborGuard's policy recommendations.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Prometheus metrics endpoint over the network; by default it binds to 0.0.0.0:9464 and is accessible from any reachable host.
AuthenticationNot required
The metrics endpoint requires no credentials, so any client that can open a TCP connection can send the malformed request.
Victim interactionNot required
No user or operator action is needed; the crash is triggered entirely by the inbound HTTP request.
Attack complexityDetail
Exploitation is reliable and condition-free: a single crafted request with a malformed URI consistently triggers the uncaught TypeError regardless of environment state.

Blast Radius

The targeted Node.js process is terminated immediately, taking down every service or workload running inside that process.
Any in-flight requests or background jobs running in the same process are dropped without completing.
If the process is not automatically restarted, the metrics pipeline goes dark, removing observability coverage for the affected service.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-44902 is flagged at HIGH severity and surfaced through the standard triage pipeline for any image found to contain a vulnerable version of opentelemetry-js, exporter-prometheus, sdk-node, or auto-instrumentations-node. Because no upstream fix exists today, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads, as soon as the upstream maintainers publish a fix. While waiting for a patch, the most effective compensating control is restricting network access to the Prometheus metrics port (default 9464) through Kubernetes NetworkPolicy or host-level firewall rules so that only authorized scrapers can reach the endpoint. Customers should also evaluate whether the metrics endpoint needs to bind to 0.0.0.0 or can be constrained to a loopback or internal interface.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 4

Affected packages

open-telemetry / opentelemetry-js
< 0.217.0
@opentelemetry / exporter-prometheus
< 0.217.0
@opentelemetry / sdk-node
< 0.217.0
@opentelemetry / auto-instrumentations-node
< 0.75.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3