CVE-2026-45292
Denial of Service vulnerability in opentelemetry-api (Maven)
What is CVE-2026-45292 About?
This vulnerability lies in the baggage propagation implementation of `opentelemetry-api` and `opentelemetry-extension-trace-propagators`, allowing oversized baggage parsing to cause unbounded memory allocation and CPU consumption. This can lead to a denial of service, particularly in internal services or custom transports. Exploiting this is moderately easy as it relies on sending a crafted oversized baggage header.
Affected Software
- io.opentelemetry:opentelemetry-api
- <1.62.0
- io.opentelemetry:opentelemetry-extension-trace-propagators
- <1.62.0
Technical Details
The W3CBaggagePropagator, JaegerPropagator, and OtTracePropagator in opentelemetry-api and opentelemetry-extension-trace-propagators lacked enforcement of limits on the total size or entry count of the baggage header. When a malformed or oversized baggage header is received, the parsers iterate character-by-character through the entire excessively long value, leading to unbounded memory allocation and CPU consumption. This resource exhaustion can induce a denial of service. The effect can also fan out to downstream services when the oversized baggage is re-injected into outgoing requests, even if the downstream services never directly received the initial malicious request.
What is the Impact of CVE-2026-45292?
Successful exploitation may allow attackers to cause resource exhaustion, leading to a denial of service of affected applications and potentially cascading effects on interconnected services.
What is the Exploitability of CVE-2026-45292?
Exploitation complexity is low to moderate. It requires crafting an oversized baggage header and sending it to a vulnerable service. No authentication is inherently required if the service accepts unauthenticated requests with baggage headers. Privilege requirements are minimal, as the attack focuses on resource consumption. The attack can be remote, targeting internet-facing services, but the risk is higher in internal networks or when non-HTTP/custom transports are used, as external HTTP server limits often mitigate the issue. Special conditions include the absence of transport-layer limits on header size. The likelihood of exploitation increases when vulnerable services are exposed to untrusted input sources without proper header size validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-45292?
Available Upgrade Options
- io.opentelemetry:opentelemetry-api
- <1.62.0 → Upgrade to 1.62.0
- io.opentelemetry:opentelemetry-extension-trace-propagators
- <1.62.0 → Upgrade to 1.62.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-rcgg-9c38-7xpx
- https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.62.0
- https://github.com/open-telemetry/opentelemetry-java/pull/8380
- https://github.com/open-telemetry/opentelemetry-java/security/advisories/GHSA-rcgg-9c38-7xpx
- https://github.com/open-telemetry/opentelemetry-java/commit/03837d3c1763bc35464aea1078671e2ef2336a5f
- https://github.com/open-telemetry/opentelemetry-java
What are Similar Vulnerabilities to CVE-2026-45292?
Similar Vulnerabilities: CVE-2021-3968 , CVE-2023-26159 , CVE-2020-28196 , CVE-2022-38708 , CVE-2022-23420
