Skip to main content

Opentelemetry Java Instrumentation

2 CVEs product

Monthly

CVE-2026-54712 HIGH PATCH This Week

Denial of service in OpenTelemetry Java Instrumentation before 2.27.0 lets an attacker who can reach an RMI endpoint on an instrumented JVM send an oversized context-propagation payload that triggers excessive memory allocation. The RMI payload reader caps the number of context entries but never bounds the aggregate size of the strings it reads, so a single crafted request can exhaust heap and crash or stall the JVM. No public exploit is identified at time of analysis, EPSS is low (0.24%), and CISA SSVC records no observed exploitation, but the flaw is network-reachable and unauthenticated wherever RMI instrumentation is enabled and exposed.

Java Denial Of Service Opentelemetry Java Instrumentation
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54704 MEDIUM PATCH This Month

OpenTelemetry Java Instrumentation prior to 2.28.0 leaks clear-text database passwords into distributed trace span attributes when JDBC auto-instrumentation encounters double-quoted passwords in SQL CONNECT statements, bypassing the sanitization logic. These poisoned spans are then exported to any configured observability backend - Jaeger, Zipkin, OTLP collectors, or third-party SaaS monitoring - making database credentials visible to all parties with telemetry read access. No public exploit or confirmed active exploitation exists at time of analysis, but the impact of credential exposure is high given downstream database access risk.

Java Information Disclosure Opentelemetry Java Instrumentation
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in OpenTelemetry Java Instrumentation before 2.27.0 lets an attacker who can reach an RMI endpoint on an instrumented JVM send an oversized context-propagation payload that triggers excessive memory allocation. The RMI payload reader caps the number of context entries but never bounds the aggregate size of the strings it reads, so a single crafted request can exhaust heap and crash or stall the JVM. No public exploit is identified at time of analysis, EPSS is low (0.24%), and CISA SSVC records no observed exploitation, but the flaw is network-reachable and unauthenticated wherever RMI instrumentation is enabled and exposed.

Java Denial Of Service Opentelemetry Java Instrumentation
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenTelemetry Java Instrumentation prior to 2.28.0 leaks clear-text database passwords into distributed trace span attributes when JDBC auto-instrumentation encounters double-quoted passwords in SQL CONNECT statements, bypassing the sanitization logic. These poisoned spans are then exported to any configured observability backend - Jaeger, Zipkin, OTLP collectors, or third-party SaaS monitoring - making database credentials visible to all parties with telemetry read access. No public exploit or confirmed active exploitation exists at time of analysis, but the impact of credential exposure is high given downstream database access risk.

Java Information Disclosure Opentelemetry Java Instrumentation
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy