githubreceiver CVE-2026-55701
MEDIUMSeverity by source
Network-reachable webhook, no auth or interaction required; high integrity impact from pipeline data injection, no confidentiality loss, limited availability impact.
Lifecycle Timeline
2DescriptionCVE.org
githubreceiver Silently Ignores Configured required_headers Authentication
Summary
The githubreceiver webhook handler does not enforce the required_headers configuration. Headers are validated at startup (config rejects empty keys/values) but never checked on incoming requests. This follows the same pattern as GHSA-prf6-xjxh-p698 (awsfirehosereceiver auth bypass). Verified against current main.
Details
In receiver/githubreceiver/config.go, the RequiredHeaders field is defined (line 45) and validated at startup (lines 93-101). But receiver/githubreceiver/trace_receiver.go in handleReq() (lines 131-185) never references RequiredHeaders.
The gitlabreceiver enforces the same config correctly at receiver/gitlabreceiver/traces_receiver.go:266-270:
for key, value := range gtr.cfg.WebHook.RequiredHeaders { if r.Header.Get(key) != string(value) { return "", fmt.Errorf("%w: %s", errInvalidHeader, key) } }
Amplifying factor
The Secret field defaults to empty and has no validation requiring it to be set. With an empty secret, github.ValidatePayload skips HMAC validation entirely. An operator who configures required_headers as their authentication mechanism (without setting secret) has zero authentication on the webhook endpoint.
Impact
An attacker can send arbitrary webhook payloads to the githubreceiver endpoint, bypassing the operator configured authentication. This allows injecting fake CI/CD trace data into the observability pipeline.
Suggested Fix
Add RequiredHeaders enforcement to handleReq(), matching the gitlabreceiver pattern.
AnalysisAI
Authentication bypass in the githubreceiver component of opentelemetry-collector-contrib (versions ≤ 0.150.0) allows unauthenticated attackers to inject arbitrary webhook payloads into the OpenTelemetry observability pipeline. The required_headers configuration field is validated at startup but never enforced by handleReq() at request time, meaning any HTTP POST to the webhook endpoint is accepted regardless of header values. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires githubreceiver version 0.150.0 or earlier to be deployed with the `required_headers` configuration set as the intended authentication mechanism AND the `Secret` field left at its default empty value. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score was assigned by NVD or the vendor at time of analysis; the assessed vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L is independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the githubreceiver HTTP endpoint - whether from the internet if exposed, or from an internal network with any lateral access - sends an HTTP POST request with an arbitrary JSON payload mimicking a GitHub workflow event, deliberately omitting the header values the operator configured under `required_headers`. Because `handleReq()` performs no header comparison, the request is fully processed and the fabricated CI/CD trace data (for example, a fake successful deployment event) is ingested into the OpenTelemetry pipeline, potentially suppressing alerts, masking real failures, or poisoning observability dashboards used for incident response decisions. |
| Remediation | Upgrade opentelemetry-collector-contrib to version 0.151.0 or later, which adds `required_headers` enforcement inside `handleReq()` matching the gitlabreceiver implementation pattern documented in the advisory at https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-w5cv-pw74-4rxc. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-w5cv-pw74-4rxc