These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-59892 is a vulnerability in the OpenTelemetry JavaScript client, specifically in the @opentelemetry/propagator-jaeger module. An unauthenticated remote attacker can send a malformed percent-encoded value that throws an uncaught URIError and terminates a Node.js process using JaegerPropagator as the active propagator. The issue is fixed in version 2.9.0. Affected product deployments should be iden [truncated]
CVE-2026-44967 is a vulnerability in the OpenTelemetry-cpp implementation, specifically affecting its OTLP HTTP exporters for traces, metrics, and logs. Prior to the release of version 1.27.0, these exporters would read the full HTTP response into an in-memory vector of bytes without any size cap. This behavior can be exploited for memory exhaustion when the configured collector endpoint is controlled by [truncated]
A low-severity vulnerability (CVSS Score: 2.1) was found in OpenTelemetry-Go, a Go implementation of OpenTelemetry. The issue, tracked as CVE-2026-45287, affects versions prior to 0.0.17. The vulnerability is caused by the `ParseFile` function in `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaking one file descriptor on each successful call. This can lead to a denial [truncated]
CVE-2026-44213 is a MEDIUM severity (CVSS 6.5) vulnerability in the OpenTelemetry.Exporter.Instana NuGet package affecting versions prior to 1.1.0. The package fails to validate HTTPS/TLS certificates when sending telemetry to an Instana backend through a proxy configured via the INSTANA_ENDPOINT_PROXY environment variable. This certificate validation bypass creates a Man-in-the-Middle (MitM) exposure: if [truncated]
A server-side authentication bypass in the OpenTelemetry Collector Contrib Azure Authenticator Extension (azureauthextension) allows any party holding a valid Azure access token for any scope the collector's configured identity can mint to authenticate to any OpenTelemetry receiver using auth: azure_auth. Affected versions from 0.124.0 through 0.150.0 fail to validate incoming bearer tokens as JWTs. Inste [truncated]
OpenTelemetry.Exporter.OpenTelemetryProtocol versions 1.8.0 through 1.15.2 contain a vulnerability in the experimental OTLP disk retry feature. When `OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk` is enabled without explicitly configuring `OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH`, the exporter silently falls back to `Path.GetTempPath()` for storing retry data. This creates a shared, predictable [truncated]
CVE-2026-39883 is a vulnerability in OpenTelemetry-Go, a Go implementation of OpenTelemetry. The vulnerability allows for a PATH hijacking attack on BSD and Solaris platforms. It was introduced in version 1.15.0 and fixed in version 1.43.0. The vulnerability has a CVSS score of 7.3 and is classified as HIGH severity. The vulnerability was published on April 8, 2026, and modified on June 30, 2026.
CVE-2026-33701 is a critical vulnerability in OpenTelemetry Java Instrumentation prior to version 2.26.1. The RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters, potentially allowing remote code execution on JDK version 16 and earlier. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this vulnerab [truncated]
CVE-2026-24051 is a Path Hijacking (Untrusted Search Paths) vulnerability in the OpenTelemetry Go SDK, affecting versions v1.20.0-1.39.0 on macOS/Darwin systems. The vulnerability exists in the resource detection code in `sdk/resource/host_id.go`, which executes the `ioreg` system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrar [truncated]