Skip to main content

fluent-plugin-opentelemetry CVE-2026-44163

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-26 https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry GHSA-2jc5-xhx8-qj6h
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
7.5 HIGH

OOM kill terminates the entire Fluentd process (complete availability loss), warranting A:H over the scored A:L; all other metrics align with the provided vector.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 26, 2026 - 17:51 vuln.today
Analysis Generated
Jun 26, 2026 - 17:51 vuln.today

DescriptionGitHub Advisory

The fluent-plugin-opentelemetry plugin (specifically the in_opentelemetry HTTP input) lacked strict size limits on incoming requests. It was discovered that the plugin read the entire request body and decompressed payloads into memory without enforcing maximum size thresholds.

If the OpenTelemetry ingestion endpoint is exposed to untrusted networks, an attacker can send an excessively large HTTP request or a maliciously crafted, highly compressed payload. When the plugin attempts to read or decompress this payload, it will expand to an excessive size and it will consume significant system resources.

Impact

This vulnerability allows for a Denial of Service (DoS) attack via memory exhaustion. The rapid memory consumption during decompression can easily lead to an Out-of-Memory kill of the Fluentd process by the operating system. This results in the disruption of all log collection and forwarding capabilities on the affected node.

Patches

v0.5.3

Workarounds

If an immediate upgrade is not possible, users are strongly advised to apply the following mitigations:

  1. Restrict Network Access
  • Ensure that the OpenTelemetry ingestion ports (default 4318) are deployed within a closed, trusted network. Use firewall rules (e.g., iptables, AWS Security Groups) to block access from untrusted networks or instances.
  1. Use a Reverse Proxy
  • If you must expose HTTP ingestion to external sources, place a robust reverse proxy (such as Nginx) in front of Fluentd. Configure the proxy to handle the gzip decompression and enforce strict limits on both compressed and uncompressed body sizes before passing the traffic to Fluentd.

AnalysisAI

Memory exhaustion in fluent-plugin-opentelemetry versions 0.5.2 and earlier allows unauthenticated remote attackers to crash the Fluentd process by sending an oversized HTTP request body or a decompression bomb to the in_opentelemetry HTTP input endpoint (default port 4318). The plugin reads and decompresses the entire payload into memory without enforcing size thresholds, enabling an OOM kill of Fluentd and complete disruption of log collection and forwarding on the affected node. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Fluentd node with port 4318 exposed
Delivery
Craft gzip decompression bomb or oversized HTTP POST body
Exploit
Send request to /v1/logs or /v1/traces endpoint
Install
Plugin reads and decompresses payload without size enforcement
C2
Unbounded memory allocation exhausts system RAM
Execute
OS OOM killer terminates Fluentd process
Impact
Log collection and forwarding disrupted

Vulnerability AssessmentAI

Exploitation Exploitation requires network-level access to the `in_opentelemetry` HTTP ingestion port (default 4318) from an untrusted source; the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms unauthenticated remote exploitation with no special configuration required beyond the port being reachable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) underrepresents the actual impact: the advisory explicitly states that decompression can produce an OOM kill of the Fluentd process, which constitutes complete, not partial, availability loss of the logging pipeline - an A:H outcome in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker with network access to port 4318 sends a small gzip-compressed HTTP POST to the `/v1/logs` or `/v1/traces` endpoint, where the compressed body (a few kilobytes) is constructed to expand to gigabytes upon decompression - a classic decompression bomb. The Fluentd plugin decompresses the payload into memory without bounds, rapidly exhausting available system RAM until the OS OOM killer terminates the Fluentd process, halting all log collection and forwarding on the affected node. …
Remediation Upgrade fluent-plugin-opentelemetry to version 0.5.3, which is confirmed as the patched release per advisory GHSA-2jc5-xhx8-qj6h and commit ce6c1f2a7741592c8a79afbe75fded9e8ebfa92d (https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/commit/ce6c1f2a7741592c8a79afbe75fded9e8ebfa92d). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-44163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy