CVE-2026-42191 open-telemetry CVE debrief

Who should care

Organizations running .NET applications with OpenTelemetry OTLP exporters on multi-user systems or shared hosting environments; DevOps teams using experimental disk retry features for telemetry reliability; security teams monitoring for local privilege escalation vectors in observability infrastructure; cloud platform operators providing .NET runtime environments to multiple tenants

Technical summary

The OpenTelemetry .NET OTLP exporter's experimental disk retry mechanism creates a security boundary failure when the retry directory is not explicitly configured. The exporter writes serialized telemetry data as *.blob files to signal-specific subdirectories (traces/, metrics/, logs/) under the system temporary path. On Windows, this typically resolves to %TEMP% (user-isolated but potentially accessible to elevated processes); on Linux/Unix systems with shared /tmp or /var/tmp, the exposure is broader. The fallback behavior is silent—no warning is emitted when the environment variable for custom path is absent. An attacker with local access can exploit the predictable path structure to: (1) exfiltrate telemetry data containing potentially sensitive operational information from read operations on blob files; (2) poison the retry queue by writing malformed or malicious blob files that may cause parsing failures or unexpected behavior on export retry; (3) cause denial of service through disk quota exhaustion or retry loop performance degradation via file system operations on numerous large blob files. The fix in 1.15.3 requires explicit directory configuration when disk retry is enabled, eliminating the silent insecure fallback.

Defensive priority

medium

Recommended defensive actions

• Upgrade OpenTelemetry.Exporter.OpenTelemetryProtocol to version 1.15.3 or later
• If using the experimental disk retry feature, explicitly configure OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH to a secure, application-private directory with restricted permissions
• Review and clear any existing *.blob files from shared temporary directories that may have been created by affected versions
• Audit systems for unauthorized blob files in Path.GetTempPath() subdirectories named traces, metrics, or logs
• Consider disabling disk retry (remove OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY environment variable) if not strictly required until upgrade is complete
• Apply principle of least privilege to service accounts running applications with OTLP exporters

Evidence notes

Vulnerability confirmed through NVD analysis with vendor advisory and patch references from OpenTelemetry .NET repository. Affected versions precisely bounded: 1.8.0 inclusive through 1.15.2 inclusive, fixed in 1.15.3.

Official resources