PatchSiren

open-telemetry CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM open-telemetry CVE published 2026-05-12

CVE-2026-42191

OpenTelemetry.Exporter.OpenTelemetryProtocol versions 1.8.0 through 1.15.2 contain a vulnerability in the experimental OTLP disk retry feature. When `OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk` is enabled without explicitly configuring `OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH`, the exporter silently falls back to `Path.GetTempPath()` for storing retry data. This creates a shared, predictable [truncated]