Skip to main content

OpenTelemetry Zipkin Exporter CVE-2026-41310

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-04-28 https://github.com/open-telemetry/opentelemetry-dotnet GHSA-88hf-wf7h-7w4m
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 29, 2026 - 00:00 vuln.today
Analysis Generated
Apr 28, 2026 - 23:46 vuln.today
Patch released
Apr 28, 2026 - 23:46 nvd
Patch available
CVE Published
Apr 28, 2026 - 23:23 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Summary

The Zipkin exporter remote endpoint cache accepted unbounded key growth derived from span attributes. In high-cardinality scenarios, this could increase process memory usage over time and degrade availability.

Details

  • Introduce a bounded, thread-safe LRU cache for remote endpoints.
  • Enforce fixed maximum size to prevent unbounded growth.

Impact

  • A process using Zipkin export for client/producer spans could experience avoidable memory growth under sustained unique remote endpoint values.

Resources

#7081

AnalysisAI

OpenTelemetry's Zipkin exporter for .NET allows unauthenticated remote attackers to trigger denial of service by sending spans with high-cardinality remote endpoint attributes, causing unbounded memory growth in the remote endpoint cache and eventual process degradation. CVSS 5.3 (network-accessible, low complexity). Patch available from vendor; no active exploitation identified.

Technical ContextAI

The OpenTelemetry Zipkin exporter (NuGet package opentelemetry.exporter.zipkin) maintains an in-memory cache of remote endpoint values derived from span attributes. In distributed tracing, spans may contain remote endpoint information (e.g., target service addresses). The vulnerability arises from CWE-400 (uncontrolled resource consumption): the cache accepted unbounded key growth without size limits, allowing an attacker to craft or inject spans with unique remote endpoint values. Each new unique endpoint value added a new cache entry, consuming heap memory indefinitely. Under sustained high-cardinality workloads (many unique endpoint combinations), this causes memory exhaustion and process unavailability. The fix implements a bounded, thread-safe LRU (Least Recently Used) cache with a fixed maximum size, preventing unbounded growth.

RemediationAI

Upgrade to the patched version of OpenTelemetry.Exporter.Zipkin released by the OpenTelemetry .NET maintainers following PR #7081 (commit c724f4bd6fd88e9a599af1668bf7af9487155b62). Refer to the GitHub advisory (https://github.com/advisories/GHSA-88hf-wf7h-7w4m) for the exact version number and NuGet package release details. If immediate patching is not feasible, apply defense-in-depth controls: validate and limit the cardinality of remote endpoint attributes in incoming spans before they reach the Zipkin exporter (e.g., implement span sampling or attribute filtering in the OpenTelemetry pipeline), restrict network access to span ingestion endpoints to trusted clients only, and monitor process memory usage to detect early signs of exhaustion. Monitor the OpenTelemetry project releases (https://github.com/open-telemetry/opentelemetry-dotnet/releases) for official patched version availability.

Share

CVE-2026-41310 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy