Description
OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the OpenTelemetry C++ library where OTLP HTTP exporters read the entire HTTP response into an uncapped in‑memory vector. An attacker who supplies a large or infinite response can trigger excessive memory consumption, potentially exhausting system resources and causing denial of service. This weakness corresponds to CWE‑789, unbounded memory allocation.

Affected Systems

Affected versions are all releases of OpenTelemetry C++ before 1.27.0, specifically the OTLP HTTP exporters for traces, metrics, and logs. The product is the open‑telemetry:opentelemetry‑cpp implementation.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, and an EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker who can manipulate the collector endpoint, either by directly controlling it or by man‑in‑the‑middle attacks that redirect the exporter to a malicious server. The attack path does not require privileged access and thus can be launched remotely against any deployment that uses an untrusted endpoint.

Generated by OpenCVE AI on June 12, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade opentelemetry-cpp to version 1.27.0 or later to apply the bound on HTTP response size.
  • Configure the exporter to use strictly validated, trusted collector endpoints and block connections to unapproved domains.
  • Monitor memory usage of the exporter processes to detect abnormal consumption and trigger alerts if thresholds are exceeded.

Generated by OpenCVE AI on June 12, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-cpp
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-cpp

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.
Title opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Opentelemetry Opentelemetry-cpp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:10:48.362Z

Reserved: 2026-05-08T16:23:33.263Z

Link: CVE-2026-44967

cve-icon Vulnrichment

Updated: 2026-06-12T16:10:40.139Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:27.973

Modified: 2026-06-12T17:16:23.020

Link: CVE-2026-44967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:20:03Z

Weaknesses
  • CWE-789

    Memory Allocation with Excessive Size Value