CVE-2026-29181
Modified Modified - Updated After Analysis

CPU Amplification via Header Parsing in OpenTelemetry-Go Baggage

Vulnerability report for CVE-2026-29181, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-07

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-07
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-04-08
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry opentelemetry From 1.36.0 (inc) to 1.41.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in OpenTelemetry-Go versions 1.36.0 to 1.40.0 in the way it processes multi-value baggage headers. Specifically, the header extraction parses each header field-value independently and aggregates members across values. This behavior allows an attacker to send many baggage header lines, which can amplify CPU usage and memory allocations, even if each individual value is within the 8192-byte per-value parse limit.

This can lead to excessive resource consumption on the affected system.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause high CPU usage and increased memory allocations on systems running vulnerable versions of OpenTelemetry-Go. This can degrade system performance or potentially lead to denial of service conditions due to resource exhaustion.

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenTelemetry-Go to version 1.41.0 or later, where the issue is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29181. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart