{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24051", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-20T22:30:11.778Z", "datePublished": "2026-02-02T19:49:10.038Z", "dateUpdated": "2026-02-03T14:54:41.668Z"}, "containers": {"cna": {"title": "OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking", "problemTypes": [{"descriptions": [{"cweId": "CWE-426", "lang": "en", "description": "CWE-426: Untrusted Search Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq"}, {"name": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53"}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-go", "versions": [{"version": ">= 1.21.0, < 1.40.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T19:49:10.038Z"}, "descriptions": [{"lang": "en", "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0."}], "source": {"advisory": "GHSA-9h8m-3fm2-qjrq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T14:53:50.389773Z", "id": "CVE-2026-24051", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T14:54:41.668Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24051", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T14:53:50.389773Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T14:54:37.009Z"}}], "cna": {"title": "OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking", "source": {"advisory": "GHSA-9h8m-3fm2-qjrq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-go", "versions": [{"status": "affected", "version": ">= 1.21.0, < 1.40.0"}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq", "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53", "name": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T19:49:10.038Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24051", "state": "PUBLISHED", "dateUpdated": "2026-02-03T14:54:41.668Z", "dateReserved": "2026-01-20T22:30:11.778Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-02T19:49:10.038Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:opentelemetry-go:*:*:*:*:*:go:*:*", "matchCriteriaId": "D2F3A3DE-73A9-48D9-B3CB-4DE1FB82314B", "versionEndExcluding": "1.40.0", "versionStartIncluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0."}, {"lang": "es", "value": "OpenTelemetry-Go es la implementaci\u00f3n de Go de OpenTelemetry. El SDK de Go de OpenTelemetry en la versi\u00f3n v1.20.0-1.39.0 es vulnerable a Secuestro de Ruta (Rutas de B\u00fasqueda No Confiables) en sistemas macOS/Darwin. El c\u00f3digo de detecci\u00f3n de recursos en sdk/resource/host_id.go ejecuta el comando de sistema ioreg utilizando una ruta de b\u00fasqueda. Un atacante con la capacidad de modificar localmente la variable de entorno PATH puede lograr Ejecuci\u00f3n de C\u00f3digo Arbitrario (ACE) dentro del contexto de la aplicaci\u00f3n. Una correcci\u00f3n fue lanzada con la v1.40.0."}], "id": "CVE-2026-24051", "lastModified": "2026-02-27T20:32:10.693", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-02T23:16:07.963", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:34:34.047921+00:00", "value": {"mitigation_remediation": ["Upgrade OpenTelemetry-Go to version 1.40.0 or newer.", "If an upgrade cannot be performed immediately, launch the application in a controlled environment where the PATH variable is set to a trusted, read\u2011only directory only containing system binaries, thereby preventing an attacker from inserting a malicious executable.", "As a temporary measure, avoid executing code paths that invoke system commands\u2014disable host ID detection or set any configuration flags that suppress the execution of ioreg if such options are available."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary Code Execution via Untrusted Search Path"}, "threat_synthesis": {"affected_systems": "This flaw affects the OpenTelemetry-Go SDK for macOS/Darwin distributed under the Linux Foundation \u2013 OpenTelemetry organization. Versions from v1.20.0 through v1.39.0 inclusive are impacted. Applications on other operating systems or later SDK releases are not affected.", "description_and_impact": "The vulnerability in OpenTelemetry-Go allows an attacker who can locally influence the PATH environment variable to cause the SDK to execute a malicious executable instead of the intended system command. This results in arbitrary code execution in the context of any application that imports the affected SDK, compromising confidentiality, integrity, and availability of that application. The weakness is identified as CWE-426, Untrusted Search Path.", "risk_and_exploitability": "The CVSS score of 7.0 indicates a high severity, while the EPSS result of <1% suggests a low probability of exploitation at the current time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker must be able to alter the PATH for the user running the application, a scenario likely involving local compromise or a compromised user account. If the application runs with elevated privileges, the impact could be system\u2011wide. The issue is mitigated in v1.40.0 and later revisions."}}}}, "created": "2026-02-04T12:18:03.678738+00:00", "updated": "2026-04-18T00:45:32.234330+00:00", "vendors": ["opentelemetry", "opentelemetry$PRODUCT$opentelemetry"]}