Description
OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response. This vulnerability is fixed in 0.2.0-alpha.1.
Published: 2026-05-12
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The OpAMP client, used by OpenTelemetry .NET, reads HTTP responses without imposing any upper bound on the size of the response body. An attacker who can control the OpAMP server or perform a man‑in‑the‑middle attack can cause the client to allocate an arbitrarily large buffer, leading to excessive memory consumption and potential application failure. This vulnerability is classified as CWE‑789 (Uncontrolled Memory Allocation).

Affected Systems

OpenTelemetry .NET OpAMP client, part of the OpenTelemetry dotnet contrib library. Versions before 0.2.0‑alpha.1 are affected; the fix is incorporated in 0.2.0‑alpha.1 and later releases.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and no EPSS information is available. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by directing an application to an attacker‑controlled OpAMP server or by intercepting traffic and injecting a large HTTP body. Successful exploitation can exhaust application memory and cause a crash or unresponsiveness, resulting in a denial‑of‑service condition for any users of the application.

Generated by OpenCVE AI on May 12, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenTelemetry dotnet contrib library to version 0.2.0‑alpha.1 or newer to apply the memory‑allocation fix
  • If upgrading is not immediately possible, restrict network connectivity to trusted OpAMP servers or block the OpAMP port from untrusted networks to mitigate the risk of malicious responses
  • Monitor application memory usage and log the size of OpAMP responses; investigate any unusually large responses to prevent or detect exploitation attempts

Generated by OpenCVE AI on May 12, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w2jh-77fq-7gp8 OpAMP client reads unbounded HTTP response bodies
History

Tue, 12 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-dotnet-contrib
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-dotnet-contrib

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response. This vulnerability is fixed in 0.2.0-alpha.1.
Title OpAMP client reads unbounded HTTP response bodies
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Opentelemetry Opentelemetry-dotnet-contrib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T18:01:41.812Z

Reserved: 2026-04-26T13:26:14.515Z

Link: CVE-2026-42348

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:24.700

Modified: 2026-05-12T18:17:24.700

Link: CVE-2026-42348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:30:26Z

Weaknesses