CVE-2026-29181
- Source
- https://cve.org/CVERecord?id=CVE-2026-29181
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-29181.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-29181
- Aliases
- Published
- 2026-04-07T20:29:13.933Z
- Modified
- 2026-04-09T11:45:16.479810Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
- Details
-
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29181.json", "cwe_ids": [ "CWE-770" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/open-telemetry/opentelemetry-go
Affected versions
bridge/opencensus/test/v1.*
bridge/opencensus/test/v1.36.0
bridge/opencensus/test/v1.37.0
bridge/opencensus/test/v1.38.0
bridge/opencensus/test/v1.39.0
bridge/opencensus/test/v1.40.0
bridge/opencensus/v1.*
bridge/opencensus/v1.36.0
bridge/opencensus/v1.37.0
bridge/opencensus/v1.38.0
bridge/opencensus/v1.39.0
bridge/opencensus/v1.40.0
bridge/opentracing/test/v1.*
bridge/opentracing/test/v1.36.0
bridge/opentracing/v1.*
bridge/opentracing/v1.36.0
bridge/opentracing/v1.37.0
bridge/opentracing/v1.38.0
bridge/opentracing/v1.39.0
bridge/opentracing/v1.40.0
exporters/otlp/otlplog/otlploggrpc/v0.*
exporters/otlp/otlplog/otlploggrpc/v0.12.0
exporters/otlp/otlplog/otlploggrpc/v0.12.1
exporters/otlp/otlplog/otlploggrpc/v0.12.2
exporters/otlp/otlplog/otlploggrpc/v0.13.0
exporters/otlp/otlplog/otlploggrpc/v0.14.0
exporters/otlp/otlplog/otlploggrpc/v0.15.0
exporters/otlp/otlplog/otlploggrpc/v0.16.0
exporters/otlp/otlplog/otlploghttp/v0.*
exporters/otlp/otlplog/otlploghttp/v0.12.0
exporters/otlp/otlplog/otlploghttp/v0.12.1
exporters/otlp/otlplog/otlploghttp/v0.12.2
exporters/otlp/otlplog/otlploghttp/v0.13.0
exporters/otlp/otlplog/otlploghttp/v0.14.0
exporters/otlp/otlplog/otlploghttp/v0.15.0
exporters/otlp/otlplog/otlploghttp/v0.16.0
exporters/otlp/otlpmetric/otlpmetricgrpc/v1.*
exporters/otlp/otlpmetric/otlpmetricgrpc/v1.36.0
exporters/otlp/otlpmetric/otlpmetricgrpc/v1.37.0
exporters/otlp/otlpmetric/otlpmetricgrpc/v1.38.0
exporters/otlp/otlpmetric/otlpmetricgrpc/v1.39.0
exporters/otlp/otlpmetric/otlpmetricgrpc/v1.40.0
exporters/otlp/otlpmetric/otlpmetrichttp/v1.*
exporters/otlp/otlpmetric/otlpmetrichttp/v1.36.0
exporters/otlp/otlpmetric/otlpmetrichttp/v1.37.0
exporters/otlp/otlpmetric/otlpmetrichttp/v1.38.0
exporters/otlp/otlpmetric/otlpmetrichttp/v1.39.0
exporters/otlp/otlpmetric/otlpmetrichttp/v1.40.0
exporters/otlp/otlptrace/otlptracegrpc/v1.*
exporters/otlp/otlptrace/otlptracegrpc/v1.36.0
exporters/otlp/otlptrace/otlptracegrpc/v1.37.0
exporters/otlp/otlptrace/otlptracegrpc/v1.38.0
exporters/otlp/otlptrace/otlptracegrpc/v1.39.0
exporters/otlp/otlptrace/otlptracegrpc/v1.40.0
exporters/otlp/otlptrace/otlptracehttp/v1.*
exporters/otlp/otlptrace/otlptracehttp/v1.36.0
exporters/otlp/otlptrace/otlptracehttp/v1.37.0
exporters/otlp/otlptrace/otlptracehttp/v1.38.0
exporters/otlp/otlptrace/otlptracehttp/v1.39.0
exporters/otlp/otlptrace/otlptracehttp/v1.40.0
exporters/otlp/otlptrace/v1.*
exporters/otlp/otlptrace/v1.36.0
exporters/otlp/otlptrace/v1.37.0
exporters/otlp/otlptrace/v1.38.0
exporters/otlp/otlptrace/v1.39.0
exporters/otlp/otlptrace/v1.40.0
exporters/prometheus/v0.*
exporters/prometheus/v0.58.0
exporters/prometheus/v0.59.0
exporters/prometheus/v0.59.1
exporters/prometheus/v0.60.0
exporters/prometheus/v0.61.0
exporters/prometheus/v0.62.0
exporters/stdout/stdoutlog/v0.*
exporters/stdout/stdoutlog/v0.12.0
exporters/stdout/stdoutlog/v0.12.1
exporters/stdout/stdoutlog/v0.12.2
exporters/stdout/stdoutlog/v0.13.0
exporters/stdout/stdoutlog/v0.14.0
exporters/stdout/stdoutlog/v0.15.0
exporters/stdout/stdoutlog/v0.16.0
exporters/stdout/stdoutmetric/v1.*
exporters/stdout/stdoutmetric/v1.36.0
exporters/stdout/stdoutmetric/v1.37.0
exporters/stdout/stdoutmetric/v1.38.0
exporters/stdout/stdoutmetric/v1.39.0
exporters/stdout/stdoutmetric/v1.40.0
exporters/stdout/stdouttrace/v1.*
exporters/stdout/stdouttrace/v1.36.0
exporters/stdout/stdouttrace/v1.37.0
exporters/stdout/stdouttrace/v1.38.0
exporters/stdout/stdouttrace/v1.39.0
exporters/stdout/stdouttrace/v1.40.0
exporters/zipkin/v1.*
exporters/zipkin/v1.36.0
exporters/zipkin/v1.37.0
exporters/zipkin/v1.38.0
exporters/zipkin/v1.39.0
exporters/zipkin/v1.40.0
log/logtest/v0.*
log/logtest/v0.13.0
log/logtest/v0.14.0
log/logtest/v0.15.0
log/logtest/v0.16.0
log/v0.*
log/v0.12.0
log/v0.12.1
log/v0.12.2
log/v0.13.0
log/v0.14.0
log/v0.15.0
log/v0.16.0
metric/v1.*
metric/v1.36.0
metric/v1.37.0
metric/v1.38.0
metric/v1.39.0
metric/v1.40.0
schema/v0.*
schema/v0.0.13
schema/v0.0.14
sdk/log/logtest/v0.*
sdk/log/logtest/v0.13.0
sdk/log/logtest/v0.14.0
sdk/log/logtest/v0.15.0
sdk/log/logtest/v0.16.0
sdk/log/v0.*
sdk/log/v0.12.0
sdk/log/v0.12.1
sdk/log/v0.12.2
sdk/log/v0.13.0
sdk/log/v0.14.0
sdk/log/v0.15.0
sdk/log/v0.16.0
sdk/metric/v1.*
sdk/metric/v1.36.0
sdk/metric/v1.37.0
sdk/metric/v1.38.0
sdk/metric/v1.39.0
sdk/metric/v1.40.0
sdk/v1.*
sdk/v1.36.0
sdk/v1.37.0
sdk/v1.38.0
sdk/v1.39.0
sdk/v1.40.0
trace/v1.*
trace/v1.36.0
trace/v1.37.0
trace/v1.38.0
trace/v1.39.0
trace/v1.40.0
v1.*
v1.36.0
v1.37.0
v1.38.0
v1.39.0
v1.40.0