{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40182", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T20:59:17.619Z", "datePublished": "2026-04-23T17:51:34.961Z", "dateUpdated": "2026-04-23T18:38:57.155Z"}, "containers": {"cna": {"title": "OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies", "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933"}, {"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564"}, {"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017"}, {"name": "https://github.com/open-telemetry/opentelemetry-proto/pull/781", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-proto/pull/781"}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-dotnet", "versions": [{"version": ">= 1.13.1, < 1.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T17:51:34.961Z"}, "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2."}], "source": {"advisory": "GHSA-q834-8qmm-v933", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T18:38:48.491134Z", "id": "CVE-2026-40182", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T18:38:57.155Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40182", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T18:38:48.491134Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T18:38:53.555Z"}}], "cna": {"title": "OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies", "source": {"advisory": "GHSA-q834-8qmm-v933", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-dotnet", "versions": [{"status": "affected", "version": ">= 1.13.1, < 1.15.2"}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/open-telemetry/opentelemetry-proto/pull/781", "name": "https://github.com/open-telemetry/opentelemetry-proto/pull/781", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T17:51:34.961Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40182", "state": "PUBLISHED", "dateUpdated": "2026-04-23T18:38:57.155Z", "dateReserved": "2026-04-09T20:59:17.619Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T17:51:34.961Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*", "matchCriteriaId": "5539A01E-6E54-4AE2-8D72-6E5C15C01C61", "versionEndExcluding": "1.15.2", "versionStartIncluding": "1.13.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2."}], "id": "CVE-2026-40182", "lastModified": "2026-04-29T13:52:26.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-23T18:16:28.130", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/open-telemetry/opentelemetry-proto/pull/781"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.13.1,1.15.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "opentelemetry-dotnet", "vendor": "opentelemetry"}], "analysis": {"en": {"generated_at": "2026-04-28T14:49:57.773711+00:00", "value": {"mitigation_remediation": ["Update to version 1.15.2 or newer.", "If an update is not immediately possible, configure your application to reject or truncate excessively large response bodies in the OTLP exporter.", "Limit the maximum size of untrusted HTTP responses on the exporter or collector side to prevent uncontrolled memory consumption."], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open-telemetry:opentelemetry-dotnet product, specifically versions from 1.13.1 through 1.15.1. The problem was resolved in version 1.15.2.", "description_and_impact": "OpenTelemetry dotnet\u2019s OTLP exporter can read an entire HTTP response into memory when the backend returns a 4xx or 5xx status code, without imposing an upper limit on the data size. This unbounded allocation may exhaust application memory and cause the process to fail or become unresponsive. The impact is a loss of availability for the affected application, without directly compromising confidentiality or integrity.", "risk_and_exploitability": "The CVSS score of 5.3 places the flaw in the medium severity range, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker or a MitM adversary to control the backend or collector endpoint and to return an unusually large response body upon an error status, leading to memory exhaustion."}}}}, "created": "2026-04-28T09:25:53.692714+00:00", "updated": "2026-04-28T15:00:14.507313+00:00", "vendors": ["opentelemetry", "opentelemetry$PRODUCT$opentelemetry-dotnet"]}