OpenTelemetry OTLP Exporter CVE-2026-42191
MEDIUMSeverity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
5DescriptionGitHub Advisory
Summary
The OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured.
The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path.
On multi-user systems where the temporary directory is accessible to other local accounts, this exposed three attack surfaces:
- Blob injection (integrity): an attacker could write crafted
*.blobfiles into the predictable path; the exporter picks them up on the next retry cycle and forwards them to the configured OTLP endpoint under the application's identity. - Telemetry disclosure (confidentiality): an attacker reads
*.blobfiles written by the application between export failures, recovering encoded telemetry payloads (spans, metric data points, log records). - Resource exhaustion (availability): an attacker deposits numerous or oversized blob files, degrading retry-loop performance or consuming disk space.
Details
Preconditions
OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRYis set todisk.OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATHis not set, causing the exporter to resolve the blob storage root using theSystem.IO.Path.GetTempPath()API.- A local attacker has read or write access to the process' temporary directory (e.g.,
/tmpon Linux, or%TEMP%on a multi-user Windows installation).
Exploit path
- A target application starts with
OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=diskand no explicit blob directory. The exporter resolves the storage root toPath.GetTempPath(), producing paths such as%TEMP%\traces,%TEMP%\metrics, and%TEMP%\logs(or/tmp/tracesetc. on Linux). - Injection scenario: before or during the application's retry window, an attacker writes crafted
*.blobfiles into one of those signal subdirectories. On the next retry interval (by default every 60 seconds),OtlpExporterPersistentStorageTransmissionHandlerscans the directory, loads the attacker-supplied blobs, and forwards them to the configured OTLP endpoint using the application's identity and transport credentials. - Disclosure scenario: the attacker reads
*.blobfiles that the application wrote after a transient export failure, recovering the full serialized telemetry payloads (spans, metric data points, or log records in Protobuf encoding). - DoS scenario: the attacker deposits a large number of oversized blob files in the temporary subdirectories, causing the retry loop to consume excess CPU/IO processing them, potentially exhausting available disk space.
Mitigations
If an immediate upgrade to a patched version is not possible:
- Avoid enabling disk retry in shared environments.
- Configure a dedicated directory with strict ACL/ownership and least privilege.
- Ensure the directory is not shared across tenants/users.
- Monitor for unexpected
*.blobfiles or abnormal retry backlog growth.
Resources
AnalysisAI
OpenTelemetry.Exporter.OpenTelemetryProtocol versions 1.8.0 through 1.15.2 allow local attackers to inject malicious telemetry data, disclose stored telemetry payloads, or exhaust system resources by exploiting an insecure default disk retry directory that falls back to the shared system temporary path when the required directory configuration is not explicitly set. On multi-user systems, this enables attackers with read or write access to the temp directory to craft blob files that the exporter will forward to the OTLP endpoint under the application's identity, or to read exported telemetry data between transient export failures.
Technical ContextAI
The OpenTelemetry OTLP Exporter for .NET implements a disk-based retry mechanism for handling transient export failures, controlled by the OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY environment variable. When set to 'disk', the exporter serializes failed telemetry (traces, metrics, logs) as Protobuf-encoded *.blob files and stores them in subdirectories (traces/, metrics/, logs/) beneath a configured root path. The vulnerability stems from CWE-379 (Creation of Temporary File in Directory with Insecure Permissions): when OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH is not configured, the code silently falls back to System.IO.Path.GetTempPath(), which resolves to world-readable shared directories like /tmp on Linux or %TEMP% on multi-user Windows systems. The OtlpExporterPersistentStorageTransmissionHandler class scans these predictable signal-named directories every 60 seconds by default, loads any *.blob files present, and forwards them to the configured OTLP endpoint using the application's identity and transport credentials, without validating file ownership or integrity. This affects pkg:nuget/opentelemetry.exporter.opentelemetryprotocol versions 1.8.0 through 1.15.2.
RemediationAI
Upgrade OpenTelemetry.Exporter.OpenTelemetryProtocol to version 1.15.3 or later immediately. This version enforces explicit configuration of OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH when disk retry is enabled, eliminating the insecure fallback. For applications unable to upgrade immediately, there are three mitigations with trade-offs: (1) Avoid enabling disk retry entirely by not setting OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk (eliminates transient resilience but eliminates the vulnerability); (2) If disk retry is essential, explicitly set OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH to a dedicated, non-shared directory with strict ACLs (e.g., owned by the application service account with 0700 permissions on Linux, or NTFS ACLs on Windows) to prevent other users from reading or writing blob files (adds operational overhead but maintains functionality); (3) Run the application in a tightly isolated environment (e.g., per-application container, VM, or privilege-separated process) such that other users cannot access the temporary directory (mitigates but does not eliminate risk if isolation is imperfect). Additionally, monitor the disk retry directory for unexpected *.blob files or abnormal backlog growth using file integrity monitoring or log aggregation. See patch PR https://github.com/open-telemetry/opentelemetry-dotnet/pull/7106 and commit https://github.com/open-telemetry/opentelemetry-dotnet/commit/78dffdc5ebdf3dc090fdb94e3f1a32d3d1e26dfd.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4625-4j76-fww9