Skip to main content

githubreceiver CVE-2026-55701

MEDIUM
Incorrect Authorization (CWE-863)
2026-06-18 https://github.com/open-telemetry/opentelemetry-collector-contrib GHSA-w5cv-pw74-4rxc
Share

Severity by source

vuln.today AI
8.2 HIGH

Network-reachable webhook, no auth or interaction required; high integrity impact from pipeline data injection, no confidentiality loss, limited availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 16:03 vuln.today
Analysis Generated
Jun 18, 2026 - 16:03 vuln.today

DescriptionCVE.org

githubreceiver Silently Ignores Configured required_headers Authentication

Summary

The githubreceiver webhook handler does not enforce the required_headers configuration. Headers are validated at startup (config rejects empty keys/values) but never checked on incoming requests. This follows the same pattern as GHSA-prf6-xjxh-p698 (awsfirehosereceiver auth bypass). Verified against current main.

Details

In receiver/githubreceiver/config.go, the RequiredHeaders field is defined (line 45) and validated at startup (lines 93-101). But receiver/githubreceiver/trace_receiver.go in handleReq() (lines 131-185) never references RequiredHeaders.

The gitlabreceiver enforces the same config correctly at receiver/gitlabreceiver/traces_receiver.go:266-270:

for key, value := range gtr.cfg.WebHook.RequiredHeaders { if r.Header.Get(key) != string(value) { return "", fmt.Errorf("%w: %s", errInvalidHeader, key) } }

Amplifying factor

The Secret field defaults to empty and has no validation requiring it to be set. With an empty secret, github.ValidatePayload skips HMAC validation entirely. An operator who configures required_headers as their authentication mechanism (without setting secret) has zero authentication on the webhook endpoint.

Impact

An attacker can send arbitrary webhook payloads to the githubreceiver endpoint, bypassing the operator configured authentication. This allows injecting fake CI/CD trace data into the observability pipeline.

Suggested Fix

Add RequiredHeaders enforcement to handleReq(), matching the gitlabreceiver pattern.

AnalysisAI

Authentication bypass in the githubreceiver component of opentelemetry-collector-contrib (versions ≤ 0.150.0) allows unauthenticated attackers to inject arbitrary webhook payloads into the OpenTelemetry observability pipeline. The required_headers configuration field is validated at startup but never enforced by handleReq() at request time, meaning any HTTP POST to the webhook endpoint is accepted regardless of header values. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed githubreceiver webhook endpoint
Delivery
Craft HTTP POST omitting required_headers values
Exploit
handleReq() accepts request without header validation
Execution
Fake GitHub event payload processed as legitimate
Impact
Inject falsified CI/CD trace data into observability pipeline

Vulnerability AssessmentAI

Exploitation Exploitation requires githubreceiver version 0.150.0 or earlier to be deployed with the `required_headers` configuration set as the intended authentication mechanism AND the `Secret` field left at its default empty value. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score was assigned by NVD or the vendor at time of analysis; the assessed vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L is independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the githubreceiver HTTP endpoint - whether from the internet if exposed, or from an internal network with any lateral access - sends an HTTP POST request with an arbitrary JSON payload mimicking a GitHub workflow event, deliberately omitting the header values the operator configured under `required_headers`. Because `handleReq()` performs no header comparison, the request is fully processed and the fabricated CI/CD trace data (for example, a fake successful deployment event) is ingested into the OpenTelemetry pipeline, potentially suppressing alerts, masking real failures, or poisoning observability dashboards used for incident response decisions.
Remediation Upgrade opentelemetry-collector-contrib to version 0.151.0 or later, which adds `required_headers` enforcement inside `handleReq()` matching the gitlabreceiver implementation pattern documented in the advisory at https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-w5cv-pw74-4rxc. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy