CVE-2026-45292 OpenTelemetry CVE debrief

Who should care

Organizations running Java applications with OpenTelemetry instrumentation, particularly those with distributed microservices architectures where baggage propagation spans multiple service boundaries. Operations teams responsible for telemetry infrastructure and service reliability should prioritize this fix due to the downstream amplification risk.

Technical summary

The vulnerability exists in the baggage propagation implementation within opentelemetry-api and opentelemetry-extension-trace-propagators. When parsing oversized baggage headers, the implementation performs unbounded memory allocation and CPU consumption. The automatic re-injection of baggage into outgoing requests creates an amplification vector where downstream services can be affected without direct exposure to the initial malicious request. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L indicates network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, with low availability impact. CWE-770 (Allocation of Resources Without Limits or Throttling) is the identified weakness.

Defensive priority

medium

Recommended defensive actions

• Upgrade opentelemetry-java to version 1.62.0 or later
• Review and implement input size limits on baggage headers at ingress points
• Monitor for abnormal memory and CPU consumption patterns in services using OpenTelemetry Java
• Consider implementing rate limiting or circuit breakers to prevent downstream amplification
• Audit downstream service dependencies for exposure to propagated malicious baggage

Evidence notes

CVE published 2026-05-28. Fix released in opentelemetry-java 1.62.0. GitHub Security Advisory GHSA-rcgg-9c38-7xpx confirms the vulnerability and remediation.

Official resources