{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29181", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.713Z", "datePublished": "2026-04-07T20:29:13.933Z", "dateUpdated": "2026-04-08T15:37:02.444Z"}, "containers": {"cna": {"title": "OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475"}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-go", "versions": [{"version": ">= 1.36.0, < 1.41.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:29:13.933Z"}, "descriptions": [{"lang": "en", "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0."}], "source": {"advisory": "GHSA-mh2q-q3fh-2475", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:36:53.783712Z", "id": "CVE-2026-29181", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:37:02.444Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29181", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.713Z", "datePublished": "2026-04-07T20:29:13.933Z", "dateUpdated": "2026-04-08T15:37:02.444Z"}, "containers": {"cna": {"title": "OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475"}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-go", "versions": [{"version": ">= 1.36.0, < 1.41.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:29:13.933Z"}, "descriptions": [{"lang": "en", "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0."}], "source": {"advisory": "GHSA-mh2q-q3fh-2475", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29181", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:36:53.783712Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:36:58.862Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:*", "matchCriteriaId": "A92EDFF5-4806-4B87-86F2-A3BE4A0A02A9", "versionEndExcluding": "1.41.0", "versionStartIncluding": "1.36.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0."}], "id": "CVE-2026-29181", "lastModified": "2026-04-14T18:45:01.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T21:17:16.003", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.36.0,1.41.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "opentelemetry-go", "source": "cna", "vendor": "open-telemetry"}, "product": "opentelemetry-go", "vendor": "opentelemetry"}], "analysis": {"en": {"generated_at": "2026-04-14T21:31:11.913158+00:00", "value": {"mitigation_remediation": ["Upgrade OpenTelemetry\u2011Go to version 1.41.0 or newer", "Verify that all code dependencies reference the patched version and run integration tests", "Monitor CPU and memory metrics for services that ingest baggage headers and set alert thresholds", "If an upgrade is not immediately possible, implement application\u2011level filtering to reject excessively large or numerous baggage header lines"], "summary": {"action": "Apply Patch", "impact": "Remote Denial of Service via CPU and memory exhaustion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the OpenTelemetry\u2011Go package distributed by the Open Telemetry project. Systems that embed this Go library in their monitoring or instrumentation services and accept incoming baggage headers are at risk. Specifically, versions 1.36.0 through 1.40.0 are affected; versions 1.41.0 and later contain the fix.", "description_and_impact": "OpenTelemetry\u2011Go libraries from version 1.36.0 through 1.40.0 contain a flaw in the handling of multi\u2011value baggage headers. The extraction logic parses each header value separately and then aggregates all entries, which allows an attacker to send many baggage: header lines. Even though each individual value is limited to 8192 bytes, the cumulative effect can generate a large number of temporary objects, leading to excessive CPU usage and memory allocation. This results in a denial\u2011of\u2011service condition for the service that processes the headers, without exposing any confidential data or elevating privileges.", "risk_and_exploitability": "The CVSS base score of 7.5 reflects a high severity, while the EPSS score of less than 1% indicates a low probability of active exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no widespread exploitation. The attack vector is not explicitly stated in the CVE description; it is inferred that an attacker would need to deliver crafted baggage headers over HTTP or a compatible transport to a service that ingests baggage data. Once triggered, the target experiences high CPU consumption and memory pressure, potentially denying legitimate traffic."}}}}, "created": "2026-04-08T19:45:46.577612+00:00", "updated": "2026-04-15T16:15:11.969638+00:00", "vendors": ["opentelemetry", "opentelemetry$PRODUCT$opentelemetry-go"]}