Description
OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.
Published: 2026-04-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

OpenTelemetry dotnet’s OTLP exporter can read an entire HTTP response into memory when the backend returns a 4xx or 5xx status code, without imposing an upper limit on the data size. This unbounded allocation may exhaust application memory and cause the process to fail or become unresponsive. The impact is a loss of availability for the affected application, without directly compromising confidentiality or integrity.

Affected Systems

The vulnerability affects the open-telemetry:opentelemetry-dotnet product, specifically versions from 1.13.1 through 1.15.1. The problem was resolved in version 1.15.2.

Risk and Exploitability

The CVSS score of 5.3 places the flaw in the medium severity range, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker or a MitM adversary to control the backend or collector endpoint and to return an unusually large response body upon an error status, leading to memory exhaustion.

Generated by OpenCVE AI on April 28, 2026 at 14:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to version 1.15.2 or newer.
  • If an update is not immediately possible, configure your application to reject or truncate excessively large response bodies in the OTLP exporter.
  • Limit the maximum size of untrusted HTTP responses on the exporter or collector side to prevent uncontrolled memory consumption.

Generated by OpenCVE AI on April 28, 2026 at 14:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q834-8qmm-v933 OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies
History

Wed, 29 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry opentelemetry
CPEs cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*
Vendors & Products Opentelemetry opentelemetry

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-dotnet
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-dotnet

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.
Title OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Opentelemetry Opentelemetry Opentelemetry-dotnet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T18:38:57.155Z

Reserved: 2026-04-09T20:59:17.619Z

Link: CVE-2026-40182

cve-icon Vulnrichment

Updated: 2026-04-23T18:38:53.555Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T18:16:28.130

Modified: 2026-04-29T13:52:26.743

Link: CVE-2026-40182

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses