PatchSiren cyber security CVE debrief
CVE-2026-44967 open-telemetry CVE debrief
CVE-2026-44967 is a vulnerability in the OpenTelemetry-cpp implementation, specifically affecting its OTLP HTTP exporters for traces, metrics, and logs. Prior to the release of version 1.27.0, these exporters would read the full HTTP response into an in-memory vector of bytes without any size cap. This behavior can be exploited for memory exhaustion when the configured collector endpoint is controlled by an attacker or when a network attacker can perform a man-in-the-middle (MITM) attack on the exporter connection. The vulnerability has been addressed with the release of opentelemetry-cpp version 1.27.0.
- Vendor
- open-telemetry
- Product
- opentelemetry-cpp
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of OpenTelemetry-cpp, especially those who have configured collector endpoints that could be controlled by attackers or are exposed to networks where MITM attacks could occur.
Technical summary
The OTLP HTTP exporters in OpenTelemetry-cpp prior to version 1.27.0 do not limit the size of HTTP responses stored in memory, leading to potential memory exhaustion.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to OpenTelemetry-cpp version 1.27.0 or later.
- Validate and limit access to collector endpoints.
- Implement network security measures to prevent or detect MITM attacks.
Evidence notes
CVE-2026-44967 has a CVSS score of 5.3 and is classified as MEDIUM severity. It was published on 2026-06-12T16:16:27.973Z and modified on 2026-06-12T17:16:23.020Z.
Official resources
CVE-2026-44967 was published on 2026-06-12T16:16:27.973Z and modified on 2026-06-12T17:16:23.020Z.