PatchSiren cyber security CVE debrief
CVE-2026-39883 open-telemetry CVE debrief
CVE-2026-39883 is a vulnerability in OpenTelemetry-Go, a Go implementation of OpenTelemetry. The vulnerability allows for a PATH hijacking attack on BSD and Solaris platforms. It was introduced in version 1.15.0 and fixed in version 1.43.0. The vulnerability has a CVSS score of 7.3 and is classified as HIGH severity. The vulnerability was published on April 8, 2026, and modified on June 30, 2026.
- Vendor
- open-telemetry
- Product
- opentelemetry-go
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-08
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-08
- Advisory updated
- 2026-06-30
Who should care
Users of OpenTelemetry-Go, especially those using versions between 1.15.0 and 1.42.0, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 1.43.0 or later. Additionally, users should be cautious when using the affected versions in their environments.
Technical summary
The vulnerability in OpenTelemetry-Go allows for a PATH hijacking attack on BSD and Solaris platforms. This is due to the use of a bare name for the BSD kenv command, rather than an absolute path. The vulnerability was introduced in version 1.15.0 and fixed in version 1.43.0. The CVSS score for this vulnerability is 7.3, indicating a HIGH severity. The vulnerability can be exploited locally, and an attacker would need to have local access to the system to exploit it.
Defensive priority
High priority should be given to updating OpenTelemetry-Go to version 1.43.0 or later. Additionally, users should ensure that their systems are configured securely and that the PATH environment variable is set correctly.
Recommended defensive actions
- Update OpenTelemetry-Go to version 1.43.0 or later
- Ensure that the PATH environment variable is set correctly
- Configure systems securely to prevent local exploitation
- Monitor systems for suspicious activity
- Review and update security policies and procedures
Evidence notes
The vulnerability was published on April 8, 2026, and modified on June 30, 2026. The CVSS score for this vulnerability is 7.3, indicating a HIGH severity. The vulnerability allows for a PATH hijacking attack on BSD and Solaris platforms. The vulnerability was introduced in version 1.15.0 and fixed in version 1.43.0.
Official resources
-
CVE-2026-39883 CVE record
CVE.org
-
CVE-2026-39883 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.