CVE-2026-24051
Path Hijacking in OpenTelemetry-Go Enables Local Code Execution
Publication date: 2026-02-02
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | opentelemetry-go | From 1.21.0 (inc) to 1.40.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the OpenTelemetry Go SDK versions v1.20.0 to v1.39.0 on macOS/Darwin systems. The issue is a Path Hijacking (Untrusted Search Paths) vulnerability in the resource detection code, which executes the ioreg system command using a search path. If an attacker can locally modify the PATH environment variable, they can cause the application to execute arbitrary code within its context.
How can this vulnerability impact me? :
An attacker with local access who can modify the PATH environment variable can exploit this vulnerability to execute arbitrary code within the context of the affected application. This can lead to unauthorized actions, data compromise, or system control depending on the application's privileges.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the OpenTelemetry Go SDK to version v1.40.0 or later, as this version contains the fix for the Path Hijacking vulnerability. Additionally, restrict or control the ability of local users to modify the PATH environment variable to prevent exploitation.