PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39883 open-telemetry CVE debrief

CVE-2026-39883 is a vulnerability in OpenTelemetry-Go, a Go implementation of OpenTelemetry. The vulnerability allows for a PATH hijacking attack on BSD and Solaris platforms. It was introduced in version 1.15.0 and fixed in version 1.43.0. The vulnerability has a CVSS score of 7.3 and is classified as HIGH severity. The vulnerability was published on April 8, 2026, and modified on June 30, 2026.

Vendor
open-telemetry
Product
opentelemetry-go
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-08
Original CVE updated
2026-06-30
Advisory published
2026-04-08
Advisory updated
2026-06-30

Who should care

Users of OpenTelemetry-Go, especially those using versions between 1.15.0 and 1.42.0, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 1.43.0 or later. Additionally, users should be cautious when using the affected versions in their environments.

Technical summary

The vulnerability in OpenTelemetry-Go allows for a PATH hijacking attack on BSD and Solaris platforms. This is due to the use of a bare name for the BSD kenv command, rather than an absolute path. The vulnerability was introduced in version 1.15.0 and fixed in version 1.43.0. The CVSS score for this vulnerability is 7.3, indicating a HIGH severity. The vulnerability can be exploited locally, and an attacker would need to have local access to the system to exploit it.

Defensive priority

High priority should be given to updating OpenTelemetry-Go to version 1.43.0 or later. Additionally, users should ensure that their systems are configured securely and that the PATH environment variable is set correctly.

Recommended defensive actions

  • Update OpenTelemetry-Go to version 1.43.0 or later
  • Ensure that the PATH environment variable is set correctly
  • Configure systems securely to prevent local exploitation
  • Monitor systems for suspicious activity
  • Review and update security policies and procedures

Evidence notes

The vulnerability was published on April 8, 2026, and modified on June 30, 2026. The CVSS score for this vulnerability is 7.3, indicating a HIGH severity. The vulnerability allows for a PATH hijacking attack on BSD and Solaris platforms. The vulnerability was introduced in version 1.15.0 and fixed in version 1.43.0.

Official resources

This article is AI-assisted and based on the supplied source corpus.