GO-2026-4394
Arbitrary Code Execution vulnerability in resource (Go)
What is GO-2026-4394 About?
This vulnerability in OpenTelemetry Go SDK allows for arbitrary code execution through PATH hijacking. An attacker can manipulate the system's PATH environment variable, causing the application to execute malicious code. This could lead to full system compromise and is potentially easy to exploit under specific environmental conditions.
Affected Software
- go.opentelemetry.io/otel/sdk/resource
- >=1.21.0, <1.40.0
- go.opentelemetry.io/otel/sdk
- >=1.21.0, <1.40.0
Technical Details
The OpenTelemetry Go SDK, specifically in go.opentelemetry.io/otel/sdk, is vulnerable to arbitrary code execution via PATH hijacking. This mechanism typically involves an attacker controlling or influencing the PATH environment variable in a way that places a malicious executable before legitimate system binaries. When the application or a component within otel/sdk attempts to invoke an external command without specifying its absolute path, the operating system's loader will search for the executable through the directories listed in the PATH. If the attacker's controlled directory is listed earlier, their malicious executable can be run instead of the intended one, leading to arbitrary code execution within the context of the vulnerable application.
What is the Impact of GO-2026-4394?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, potentially leading to full system compromise, data theft, or further malicious activities.
What is the Exploitability of GO-2026-4394?
Exploitation complexity depends on the attacker's ability to manipulate the system's PATH environment variable, which can range from moderate to high. No specific authentication is required if the attacker can influence the environment in which the OpenTelemetry Go SDK runs, such as through supply chain attacks or misconfigured deployment environments. Privilege requirements might vary; if the PATH can be modified by a low-privileged user, exploitation could occur at that level, but higher privileges might be needed to persistently alter system-wide PATH settings. This can be a local exploitation if the attacker has direct access to the system or a remote exploitation if they can control environment variables through other means, such as web application parameters or untrusted configuration files. A special condition is that the application must invoke external commands without specifying full paths, and the attacker must successfully inject their designated path into the PATH variable. The primary risk factor is environments where the PATH variable is easily modifiable or inherits untrusted values.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GO-2026-4394?
Available Upgrade Options
- go.opentelemetry.io/otel/sdk
- >=1.21.0, <1.40.0 → Upgrade to 1.40.0
- go.opentelemetry.io/otel/sdk/resource
- >=1.21.0, <1.40.0 → Upgrade to 1.40.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq
- https://nvd.nist.gov/vuln/detail/CVE-2026-24051
- https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq
- https://osv.dev/vulnerability/GO-2026-4394
- https://github.com/open-telemetry/opentelemetry-go
- https://osv.dev/vulnerability/GHSA-9h8m-3fm2-qjrq
- https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53
- https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53
- https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq
What are Similar Vulnerabilities to GO-2026-4394?
Similar Vulnerabilities: CVE-2016-1000027 , CVE-2019-10775 , CVE-2021-29490 , CVE-2022-38600 , CVE-2023-28952
