PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-24051 open-telemetry CVE debrief

CVE-2026-24051 is a Path Hijacking (Untrusted Search Paths) vulnerability in the OpenTelemetry Go SDK, affecting versions v1.20.0-1.39.0 on macOS/Darwin systems. The vulnerability exists in the resource detection code in `sdk/resource/host_id.go`, which executes the `ioreg` system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with version v1.40.0.

Vendor
open-telemetry
Product
opentelemetry-go
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-02
Original CVE updated
2026-06-15
Advisory published
2026-02-02
Advisory updated
2026-06-15

Who should care

Users of OpenTelemetry-Go, particularly those on macOS/Darwin systems, who have installed versions v1.20.0-1.39.0 should be aware of this vulnerability.

Technical summary

The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in `sdk/resource/host_id.go` executes the `ioreg` system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to version v1.40.0 or later
  • Ensure that the PATH environment variable is properly secured and monitored

Evidence notes

The vulnerability was reported and fixed by the OpenTelemetry team. The fix was released with version v1.40.0.

Official resources

CVE-2026-24051 was published on 2026-02-02T23:16:07.963Z and modified on 2026-06-15T17:18:58.520Z.