PatchSiren

OpenTelemetry CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM OpenTelemetry CVE published 2026-05-28

CVE-2026-45292

A vulnerability in OpenTelemetry Java's baggage propagation implementation allows unbounded memory allocation and CPU consumption when parsing oversized baggage headers. The issue affects opentelemetry-api and opentelemetry-extension-trace-propagators prior to version 1.62.0. Because baggage is automatically re-injected into every outgoing request, the amplification effect can propagate to downstream serv [truncated]

HIGH OpenTelemetry CVE published 2026-05-27

CVE-2026-44902

A vulnerability in the OpenTelemetry JavaScript Prometheus exporter allows remote attackers to crash Node.js processes via malformed HTTP requests. The metrics endpoint (default 0.0.0.0:9464) lacks error handling for URL parsing, causing an uncaught TypeError that terminates the process. This affects versions prior to 0.217.0. The vulnerability was published on 2026-05-27 and carries a HIGH severity CVSS [truncated]