Skip to main content

OpenTelemetry OTLP Exporter CVE-2026-42191

MEDIUM
Creation of Temporary File in Directory with Insecure Permissions (CWE-379)
2026-04-30 https://github.com/open-telemetry/opentelemetry-dotnet GHSA-4625-4j76-fww9
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

5
Source Code Evidence Fetched
Apr 30, 2026 - 19:00 vuln.today
Analysis Generated
Apr 30, 2026 - 19:00 vuln.today
Analysis Generated
Apr 30, 2026 - 18:45 vuln.today
Patch released
Apr 30, 2026 - 18:45 nvd
Patch available
CVE Published
Apr 30, 2026 - 18:34 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Summary

The OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured.

The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path.

On multi-user systems where the temporary directory is accessible to other local accounts, this exposed three attack surfaces:

  • Blob injection (integrity): an attacker could write crafted *.blob files into the predictable path; the exporter picks them up on the next retry cycle and forwards them to the configured OTLP endpoint under the application's identity.
  • Telemetry disclosure (confidentiality): an attacker reads *.blob files written by the application between export failures, recovering encoded telemetry payloads (spans, metric data points, log records).
  • Resource exhaustion (availability): an attacker deposits numerous or oversized blob files, degrading retry-loop performance or consuming disk space.

Details

Preconditions
  1. OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY is set to disk.
  2. OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH is not set, causing the exporter to resolve the blob storage root using the System.IO.Path.GetTempPath() API.
  3. A local attacker has read or write access to the process' temporary directory (e.g., /tmp on Linux, or %TEMP% on a multi-user Windows installation).
Exploit path
  1. A target application starts with OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk and no explicit blob directory. The exporter resolves the storage root to Path.GetTempPath(), producing paths such as %TEMP%\traces, %TEMP%\metrics, and %TEMP%\logs (or /tmp/traces etc. on Linux).
  2. Injection scenario: before or during the application's retry window, an attacker writes crafted *.blob files into one of those signal subdirectories. On the next retry interval (by default every 60 seconds), OtlpExporterPersistentStorageTransmissionHandler scans the directory, loads the attacker-supplied blobs, and forwards them to the configured OTLP endpoint using the application's identity and transport credentials.
  3. Disclosure scenario: the attacker reads *.blob files that the application wrote after a transient export failure, recovering the full serialized telemetry payloads (spans, metric data points, or log records in Protobuf encoding).
  4. DoS scenario: the attacker deposits a large number of oversized blob files in the temporary subdirectories, causing the retry loop to consume excess CPU/IO processing them, potentially exhausting available disk space.

Mitigations

If an immediate upgrade to a patched version is not possible:

  1. Avoid enabling disk retry in shared environments.
  2. Configure a dedicated directory with strict ACL/ownership and least privilege.
  3. Ensure the directory is not shared across tenants/users.
  4. Monitor for unexpected *.blob files or abnormal retry backlog growth.

Resources

AnalysisAI

OpenTelemetry.Exporter.OpenTelemetryProtocol versions 1.8.0 through 1.15.2 allow local attackers to inject malicious telemetry data, disclose stored telemetry payloads, or exhaust system resources by exploiting an insecure default disk retry directory that falls back to the shared system temporary path when the required directory configuration is not explicitly set. On multi-user systems, this enables attackers with read or write access to the temp directory to craft blob files that the exporter will forward to the OTLP endpoint under the application's identity, or to read exported telemetry data between transient export failures.

Technical ContextAI

The OpenTelemetry OTLP Exporter for .NET implements a disk-based retry mechanism for handling transient export failures, controlled by the OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY environment variable. When set to 'disk', the exporter serializes failed telemetry (traces, metrics, logs) as Protobuf-encoded *.blob files and stores them in subdirectories (traces/, metrics/, logs/) beneath a configured root path. The vulnerability stems from CWE-379 (Creation of Temporary File in Directory with Insecure Permissions): when OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH is not configured, the code silently falls back to System.IO.Path.GetTempPath(), which resolves to world-readable shared directories like /tmp on Linux or %TEMP% on multi-user Windows systems. The OtlpExporterPersistentStorageTransmissionHandler class scans these predictable signal-named directories every 60 seconds by default, loads any *.blob files present, and forwards them to the configured OTLP endpoint using the application's identity and transport credentials, without validating file ownership or integrity. This affects pkg:nuget/opentelemetry.exporter.opentelemetryprotocol versions 1.8.0 through 1.15.2.

RemediationAI

Upgrade OpenTelemetry.Exporter.OpenTelemetryProtocol to version 1.15.3 or later immediately. This version enforces explicit configuration of OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH when disk retry is enabled, eliminating the insecure fallback. For applications unable to upgrade immediately, there are three mitigations with trade-offs: (1) Avoid enabling disk retry entirely by not setting OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk (eliminates transient resilience but eliminates the vulnerability); (2) If disk retry is essential, explicitly set OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH to a dedicated, non-shared directory with strict ACLs (e.g., owned by the application service account with 0700 permissions on Linux, or NTFS ACLs on Windows) to prevent other users from reading or writing blob files (adds operational overhead but maintains functionality); (3) Run the application in a tightly isolated environment (e.g., per-application container, VM, or privilege-separated process) such that other users cannot access the temporary directory (mitigates but does not eliminate risk if isolation is imperfect). Additionally, monitor the disk retry directory for unexpected *.blob files or abnormal backlog growth using file integrity monitoring or log aggregation. See patch PR https://github.com/open-telemetry/opentelemetry-dotnet/pull/7106 and commit https://github.com/open-telemetry/opentelemetry-dotnet/commit/78dffdc5ebdf3dc090fdb94e3f1a32d3d1e26dfd.

Share

CVE-2026-42191 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy