Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.
Published: 2026-02-02
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution via Untrusted Search Path
Action: Patch Immediately
AI Analysis

Impact

The vulnerability in OpenTelemetry-Go allows an attacker who can locally influence the PATH environment variable to cause the SDK to execute a malicious executable instead of the intended system command. This results in arbitrary code execution in the context of any application that imports the affected SDK, compromising confidentiality, integrity, and availability of that application. The weakness is identified as CWE-426, Untrusted Search Path.

Affected Systems

This flaw affects the OpenTelemetry-Go SDK for macOS/Darwin distributed under the Linux Foundation – OpenTelemetry organization. Versions from v1.20.0 through v1.39.0 inclusive are impacted. Applications on other operating systems or later SDK releases are not affected.

Risk and Exploitability

The CVSS score of 7.0 indicates a high severity, while the EPSS result of <1% suggests a low probability of exploitation at the current time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker must be able to alter the PATH for the user running the application, a scenario likely involving local compromise or a compromised user account. If the application runs with elevated privileges, the impact could be system‑wide. The issue is mitigated in v1.40.0 and later revisions.

Generated by OpenCVE AI on April 18, 2026 at 00:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenTelemetry-Go to version 1.40.0 or newer.
  • If an upgrade cannot be performed immediately, launch the application in a controlled environment where the PATH variable is set to a trusted, read‑only directory only containing system binaries, thereby preventing an attacker from inserting a malicious executable.
  • As a temporary measure, avoid executing code paths that invoke system commands—disable host ID detection or set any configuration flags that suppress the execution of ioreg if such options are available.

Generated by OpenCVE AI on April 18, 2026 at 00:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9h8m-3fm2-qjrq OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking
History

Fri, 27 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation opentelemetry-go
CPEs cpe:2.3:a:linuxfoundation:opentelemetry-go:*:*:*:*:*:go:*:*
Vendors & Products Linuxfoundation
Linuxfoundation opentelemetry-go

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry
Vendors & Products Opentelemetry
Opentelemetry opentelemetry

Tue, 03 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.
Title OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking
Weaknesses CWE-426
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Linuxfoundation Opentelemetry-go
Opentelemetry Opentelemetry
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T14:54:41.668Z

Reserved: 2026-01-20T22:30:11.778Z

Link: CVE-2026-24051

cve-icon Vulnrichment

Updated: 2026-02-03T14:54:37.009Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:07.963

Modified: 2026-02-27T20:32:10.693

Link: CVE-2026-24051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses