PatchSiren cyber security CVE debrief
CVE-2026-45287 open-telemetry CVE debrief
A low-severity vulnerability (CVSS Score: 2.1) was found in OpenTelemetry-Go, a Go implementation of OpenTelemetry. The issue, tracked as CVE-2026-45287, affects versions prior to 0.0.17. The vulnerability is caused by the `ParseFile` function in `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaking one file descriptor on each successful call. This can lead to a denial of service if an attacker can control the path being parsed, allowing them to repeatedly parse schema files in a long-running process and exhaust the process file descriptor limit.
- Vendor
- open-telemetry
- Product
- go.opentelemetry.io/otel/schema/v1.1
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-08
Who should care
Users of OpenTelemetry-Go, especially those who expose repeated schema parsing to an attacker-controlled path, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The `ParseFile` function in OpenTelemetry-Go's schema packages (`go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1`) does not close the schema file after parsing it, resulting in a file descriptor leak. This can be exploited by an attacker if they can control the path being parsed.
Defensive priority
Low
Recommended defensive actions
- Update to version 0.0.17 or later of OpenTelemetry-Go.
- Avoid exposing repeated schema parsing to an attacker-controlled path.
Evidence notes
CVE-2026-45287 was published on 2026-06-04T16:16:38.690Z and modified on 2026-06-08T19:16:45.260Z. The vulnerability has a CVSS Score of 2.1 and is classified as LOW severity.
Official resources
CVE-2026-45287 was published on 2026-06-04T16:16:38.690Z and modified on 2026-06-08T19:16:45.260Z.