Description
Swift W3C TraceContext is a Swift implementation of the W3C Trace Context standard, and Swift OTel is an OpenTelemetry Protocol (OTLP) backend for Swift Log, Swift Metrics, and Swift Distributed Tracing. Prior to Swift W3C TraceContext version 1.0.0-beta.5 and Swift OTel version 1.0.4, a denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header. This allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel. Version 1.0.0-beta.5 of Swift W3C TraceContext and version 1.0.4 of Swift OTel contain a patch for this issue. As a workaround, disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a `TracingMiddleware`).
Published: 2026-01-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Process Crash
Action: Apply Patch
AI Analysis

Impact

Swift W3C TraceContext fails to properly validate the value of a W3C Trace Context HTTP header, allowing a malformed header sent over the network to trigger a crash of the process that uses the library. The impact is a denial‑of‑service condition and potential unavailability of the affected service, but it does not provide remote code execution or privilege escalation. The weakness is an instance of Improper Input Validation (CWE‑20).

Affected Systems

All Swift W3C TraceContext implementations prior to version 1.0.0‑beta.5 and all Swift OTel implementations prior to version 1.0.4 are vulnerable. These components are commonly embedded in Swift Log, Swift Metrics, and Swift Distributed Tracing setups and are typically exposed through an HTTP server that consumes incoming Trace Context headers. If these libraries are in the request‑processing pipeline, the service is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known, current exploits. Attackers would need only the ability to send a crafted HTTP request to a server that uses the vulnerable library; the malformed header would trigger a crash, causing a denial of service. No additional privileges or administrative access are required.

Generated by OpenCVE AI on April 18, 2026 at 04:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Swift W3C TraceContext to version 1.0.0‑beta.5 or later, which contains the input‑validation fix.
  • Upgrade Swift OTel to version 1.0.4 or later, which includes the corresponding patch for the tracing middleware.
  • If an immediate upgrade is not possible, temporarily disable Swift OTel or remove the code that extracts trace information from incoming headers, such as the TracingMiddleware, to prevent processing malformed headers.

Generated by OpenCVE AI on April 18, 2026 at 04:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mvpq-2v8x-ww6g Swift W3C TraceContext vulnerable to a malformed HTTP header causing a crash
History

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Swift-otel
Swift-otel swift-w3c-trace-context
Vendors & Products Swift-otel
Swift-otel swift-w3c-trace-context

Mon, 19 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Description Swift W3C TraceContext is a Swift implementation of the W3C Trace Context standard, and Swift OTel is an OpenTelemetry Protocol (OTLP) backend for Swift Log, Swift Metrics, and Swift Distributed Tracing. Prior to Swift W3C TraceContext version 1.0.0-beta.5 and Swift OTel version 1.0.4, a denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header. This allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel. Version 1.0.0-beta.5 of Swift W3C TraceContext and version 1.0.4 of Swift OTel contain a patch for this issue. As a workaround, disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a `TracingMiddleware`).
Title Swift W3C TraceContext has malformed HTTP header that can cause a crash
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Swift-otel Swift-w3c-trace-context
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-21T20:47:10.139Z

Reserved: 2026-01-16T21:02:02.901Z

Link: CVE-2026-23886

cve-icon Vulnrichment

Updated: 2026-01-21T20:47:05.007Z

cve-icon NVD

Status : Deferred

Published: 2026-01-19T21:15:52.597

Modified: 2026-06-17T10:22:15.497

Link: CVE-2026-23886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:00:06Z

Weaknesses
  • CWE-20

    Improper Input Validation