CVE-2026-45292

May 29, 2026, 3:42 p.m.

5.3
Medium

Description

opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0.

Product(s) Impacted

Vendor Product Versions
Opentelemetry
  • Opentelemetry-java
  • <1.62.0, 1.62.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-770
Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a opentelemetry opentelemetry-java <1.62.0 / / / / / / /
a opentelemetry opentelemetry-java 1.62.0 / / / / / / /

References

https://github.com/open-telemetry/opentelemetry-java/commit/03837d3c1763bc35464aea1078671e2ef2336a5f
https://github.com/open-telemetry/opentelemetry-java/pull/8380
https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.62.0
https://github.com/open-telemetry/opentelemetry-java/security/advisories/GHSA-rcgg-9c38-7xpx

Tags

[email protected]
CWE-770
2026-05-28
CVE-2026-45292

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

    View Vector String

Timeline

Published: May 28, 2026, 5:16 p.m.
Last Modified: May 29, 2026, 3:42 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.