PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59892 open-telemetry CVE debrief

CVE-2026-59892 is a vulnerability in the OpenTelemetry JavaScript client, specifically in the @opentelemetry/propagator-jaeger module. An unauthenticated remote attacker can send a malformed percent-encoded value that throws an uncaught URIError and terminates a Node.js process using JaegerPropagator as the active propagator. The issue is fixed in version 2.9.0. Affected product deployments should be identified, and owners should be assigned for follow-up. Official advisories and CVE records should be reviewed to validate affected scope, severity, and vendor guidance.

Vendor
open-telemetry
Product
opentelemetry-js
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of OpenTelemetry JavaScript client, particularly those using JaegerPropagator, should be aware of this vulnerability and take steps to mitigate it. Affected operators, platforms, vulnerability-management teams, and security teams should review the vulnerability scope and impact. They should identify and prioritize affected product deployments, review official advisories, and plan for vendor-supported updates or mitigations.

Technical summary

The @opentelemetry/propagator-jaeger module in OpenTelemetry JavaScript client decodes incoming uber-trace-id and uberctx-* HTTP header values with decodeURIComponent() without handling decode errors. This allows an unauthenticated remote attacker to send a malformed percent-encoded value that throws an uncaught URIError and terminates a Node.js process. The vulnerability has a high CVSS score of 7.5, indicating high severity. Affected product context and defensive impact should be considered when implementing mitigations.

Defensive priority

High priority due to the high CVSS score of 7.5 and the potential for unauthenticated remote attacks.

Recommended defensive actions

  • Update to version 2.9.0 or later
  • Verify and validate user input
  • Implement error handling for decodeURIComponent()
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-08T17:17:27.190Z and last modified on 2026-07-10T18:56:03.583Z. The NVD entry is currently Awaiting Analysis. Evidence from the CVE record and NVD detail page indicates that OpenTelemetry JavaScript client is vulnerable. However, detailed analysis and verification of the vulnerability scope and impact are required. Defenders should verify the affected product deployments, review official advisories, and plan for vendor-supported updates or mitigations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T17:17:27.190Z and has not been modified since then.