Description
opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0.
Published: 2026-05-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parsing an oversized baggage header in opentelemetry-java's baggage propagation triggers an unbounded memory allocation and high CPU consumption. The library allocates memory proportional to the header size and consumes significant CPU resources. Because baggage is automatically re‑injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This flaw is fixed in version 1.62.0. The vulnerability is a CWE‑770 unbounded memory allocation issue.

Affected Systems

The flaw exists in the opentelemetry-api, opentelemetry-extension-trace-propagators, and the open-telemetry opentelemetry-java packages for any release prior to version 1.62.0. Administrators should verify that the deployments of these components are at or above this version to eliminate the risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating a moderate severity. EPSS data is unavailable and the issue is not listed in CISA’s KEV catalog, suggesting no confirmed exploit activity yet; however, because the flaw can be triggered by an inbound request with an overly long baggage header, the likely attack vector is via HTTP traffic to a service that propagates OpenTelemetry headers. Successful exploitation would bound system resources and could propagate the effect to downstream services that forward the malformed baggage.

Generated by OpenCVE AI on May 28, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all opentelemetry-java components (opentelemetry-api, opentelemetry-extension-trace-propagators, open-telemetry/opentelemetry-java) to version 1.62.0 or newer.
  • Rebuild, redeploy, and restart the affected services to ensure the updated library is in use.
  • As a temporary measure, configure your application or API gateway to reject baggage headers that exceed a reasonable size or disable baggage propagation until the patch is applied.

Generated by OpenCVE AI on May 28, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rcgg-9c38-7xpx OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation
History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-java
Opentelemetry opentelemetry.api
Opentelemetry opentelemetry.extensions.propagators
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-java
Opentelemetry opentelemetry.api
Opentelemetry opentelemetry.extensions.propagators

Thu, 28 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0.
Title opentelemetry-java: Unbounded Memory Allocation in W3C Baggage Propagation
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Opentelemetry Opentelemetry-java Opentelemetry.api Opentelemetry.extensions.propagators
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T17:27:14.164Z

Reserved: 2026-05-11T20:14:43.201Z

Link: CVE-2026-45292

cve-icon Vulnrichment

Updated: 2026-05-28T17:27:08.804Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T17:16:32.060

Modified: 2026-05-29T15:42:56.873

Link: CVE-2026-45292

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T16:37:29Z

Links: CVE-2026-45292 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:19:14Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling