Description
OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to the configured back-end or collector results in an unsuccessful HTTP 4xx or 5xx response, the HttpJsonPostTransport class reads the entire response body into memory with no upper bound on the number of bytes consumed in order to include the error response in operator logs.

An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the configured back-end or collector endpoint. This issue is fixed in version 1.15.1, which limits the number of bytes read from the response body in an error condition to 4 MiB.
Published: 2026-05-06
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the OpenTelemetry.Exporter.OneCollector .NET exporter, any HTTP 4xx or 5xx error from the configured backend causes the HttpJsonPostTransport class to read the full response body into memory without a size limit. The lack of an upper bound on the payload leads to unbounded heap allocation that can exhaust memory, trigger garbage‑collection pauses, and ultimately result in an OutOfMemoryException, terminating the process. The vulnerability is a classic unbounded array allocation flaw, classified as CWE‑770, and results in a denial‑of‑service condition for the telemetry exporter.

Affected Systems

The issue affects the OpenTelemetry dotnet-contrib exporter library, specifically the OneCollector exporter component in all releases 1.15.0 and earlier. The known fix is implemented in version 1.15.1, which caps error‑response payloads to 4 MiB.

Risk and Exploitability

The CVSS score of 5.3 rates the vulnerability as moderate severity. No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog, implying it is not a known exploited vulnerability. Attackers need control over the backend endpoint or the ability to perform a man‑in‑the‑middle interception. Once they can deliver arbitrary‑size error responses, the exported application will consume excessive memory and may terminate, achieving a denial‑of‑service outcome.

Generated by OpenCVE AI on May 6, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenTelemetry dotnet‑contrib library to version 1.15.1 or newer, which enforces a 4 MiB cap on error‑response bodies.
  • If the upgrade cannot be applied immediately, configure network‑level controls—such as firewall rules, mutual TLS, or a service‑mesh—to restrict traffic to the known backend endpoint and prevent unauthorized access.
  • As an additional precaution, consider placing a reverse proxy or gateway that limits the size of responses before they reach the application, ensuring that even a compromised endpoint cannot supply excessively large payloads.

Generated by OpenCVE AI on May 6, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-55m9-299j-53c7 OneCollector exporter reads unbounded HTTP response bodies
History

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-dotnet-contrib
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-dotnet-contrib

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to the configured back-end or collector results in an unsuccessful HTTP 4xx or 5xx response, the HttpJsonPostTransport class reads the entire response body into memory with no upper bound on the number of bytes consumed in order to include the error response in operator logs. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the configured back-end or collector endpoint. This issue is fixed in version 1.15.1, which limits the number of bytes read from the response body in an error condition to 4 MiB.
Title OpenTelemetry.Exporter.OneCollector vulnerable to denial of service via unbounded HTTP error response body
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Opentelemetry Opentelemetry-dotnet-contrib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T21:00:07.430Z

Reserved: 2026-04-20T16:14:19.006Z

Link: CVE-2026-41484

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T22:16:26.050

Modified: 2026-05-06T22:16:26.050

Link: CVE-2026-41484

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:14Z

Weaknesses