CVE-2026-29181
Received Received - Intake
CPU Amplification via Header Parsing in OpenTelemetry-Go Baggage

Publication date: 2026-04-07

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29181
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry opentelemetry From 1.36.0 (inc) to 1.41.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in OpenTelemetry-Go versions 1.36.0 to 1.40.0 in the way it processes multi-value baggage headers. Specifically, the header extraction parses each header field-value independently and aggregates members across values. This behavior allows an attacker to send many baggage header lines, which can amplify CPU usage and memory allocations, even if each individual value is within the 8192-byte per-value parse limit.

This can lead to excessive resource consumption on the affected system.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause high CPU usage and increased memory allocations on systems running vulnerable versions of OpenTelemetry-Go. This can degrade system performance or potentially lead to denial of service conditions due to resource exhaustion.

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenTelemetry-Go to version 1.41.0 or later, where the issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29181. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart