Skip to main content

OpenTelemetry Java SDK CVE-2026-45292

| EUVDEUVD-2026-32953 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-14 https://github.com/open-telemetry/opentelemetry-java GHSA-rcgg-9c38-7xpx
5.3
CVSS 3.1 · Vendor: https://github.com/open-telemetry/opentelemetry-java
Share

Severity by source

Vendor (https://github.com/open-telemetry/opentelemetry-java) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/open-telemetry/opentelemetry-java).

CVSS VectorVendor: https://github.com/open-telemetry/opentelemetry-java

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 26, 2026 - 21:32 vuln.today
Analysis Generated
May 26, 2026 - 21:32 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,593 maven packages depend on io.opentelemetry:opentelemetry-api (284 direct, 1,311 indirect)
  • 250 maven packages depend on io.opentelemetry:opentelemetry-extension-trace-propagators (13 direct, 237 indirect)

Ecosystem-wide dependent count for version 1.62.0 and other introduced versions.

DescriptionCVE.org

Overview

A vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request.

Technical Details

  • W3CBaggagePropagator did not enforce any limit on the total size or entry count of the

baggage header. The parser iterated character-by-character through the entire value regardless of length.

  • JaegerPropagator and OtTracePropagator had the same gap in their respective baggage

extraction paths.

  • The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; none of

these limits were enforced.

Impact

The practical availability impact for most deployments is limited. Every major Java HTTP server enforces its own header size limit (Tomcat, Jetty, Netty, Vert.x, and gRPC-Java all default to 8 KiB), constraining what an external attacker can deliver before the application is reached. The risk is higher when transport-layer limits are absent - e.g., a compromised internal service communicating over a non-HTTP or custom transport.

Remediation

Update to version 1.62.0 or later (#8380). The fix enforces limits consistent with the W3C Baggage specification at the propagator level:

  • Maximum total baggage size: 8,192 bytes across all baggage header values
  • Maximum number of entries: 64

Headers that would exceed either limit are dropped at the point the limit is reached; already-extracted valid entries are retained.

Workarounds

Ensure HTTP header size limits are configured at the server or gateway level. Most Java HTTP servers enforce an 8 KiB header limit by default, which mitigates external attack vectors independently of this fix.

References

AnalysisAI

Unbounded memory allocation and CPU exhaustion in OpenTelemetry Java SDK's baggage propagation allows remote unauthenticated attackers to degrade or deny service by sending oversized baggage headers. Affected components - W3CBaggagePropagator, JaegerPropagator, and OtTracePropagator - all lacked enforcement of the W3C Baggage specification's recommended size and entry limits, causing character-by-character parsing of arbitrarily large inputs. A distinctive amplification risk exists: baggage is automatically re-injected into all outgoing requests, meaning a single malicious inbound payload can fan out DoS effects to downstream services that never directly received the original request. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Technical ContextAI

CWE-770 (Allocation of Resources Without Limits or Throttling) describes the root cause: the Parser class in io.opentelemetry.api.baggage.propagation iterated character-by-character over the full baggage header value without any bound on total bytes or entry count. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries, but none of the three affected propagators - W3CBaggagePropagator, JaegerPropagator, and OtTracePropagator - enforced these recommendations. The affected Maven packages are pkg:maven/io.opentelemetry:opentelemetry-api and pkg:maven/io.opentelemetry:opentelemetry-extension-trace-propagators, both versions up to and including 1.61.0. The OpenTelemetry baggage propagation mechanism is a distributed tracing concern: baggage entries are key-value pairs carried across service boundaries via HTTP or custom transports, making the fan-out amplification a structurally inherent risk of the design rather than a secondary effect.

RemediationAI

Vendor-released patch: 1.62.0. Upgrade both io.opentelemetry:opentelemetry-api and io.opentelemetry:opentelemetry-extension-trace-propagators to version 1.62.0 or later. The fix, implemented via PR #8380 (https://github.com/open-telemetry/opentelemetry-java/pull/8380) and commit 03837d3c1763bc35464aea1078671e2ef2336a5f, introduces a maximum baggage size of 8,192 bytes across all baggage header values and a maximum of 64 entries; headers exceeding either limit are dropped at the point the limit is reached while previously extracted valid entries are retained. For deployments where immediate upgrade is not possible, verify that HTTP header size limits are explicitly configured at the server or gateway layer: Tomcat, Jetty, Netty, Vert.x, and gRPC-Java all default to 8 KiB, which mitigates external attack vectors. Note that this workaround does not protect against a compromised internal service exploiting the fan-out path over non-HTTP or custom transports - for those architectures, upgrading to 1.62.0 is the only reliable control. The release is available at https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.62.0.

More in Tomcat

View all
CVE-2017-12617 HIGH POC
8.1 Oct 04

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT

CVE-2016-8735 CRITICAL POC
9.8 Apr 06

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8

CVE-2017-12615 HIGH POC
8.1 Sep 19

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this

CVE-2014-0050 HIGH POC
7.5 Apr 01

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,

CVE-2017-12616 HIGH
7.5 Sep 19

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or

CVE-2014-0227 MEDIUM
6.4 Feb 16

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and

CVE-2013-5528 MEDIUM POC
4.0 Oct 11

Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all

CVE-2016-6808 CRITICAL POC
9.8 Apr 12

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2016-1240 HIGH POC
7.8 Oct 03

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia

CVE-2016-5425 HIGH POC
7.8 Oct 13

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu

CVE-2022-22965 CRITICAL POC
9.8 Apr 01

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b

CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

Vendor StatusVendor

Share

CVE-2026-45292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy