Executive Summary

This vulnerability exists in OpenTelemetry-Go versions from 1.15.0 to 1.42.0. It involves a PATH hijacking attack on BSD and Solaris platforms. Specifically, while a previous fix for a related vulnerability (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path, the BSD kenv command still used a bare command name. This allowed attackers to exploit the PATH environment variable to execute malicious code by placing a malicious executable earlier in the PATH, leading to potential unauthorized actions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with limited privileges to execute arbitrary code by hijacking the PATH environment variable on BSD and Solaris systems. This could lead to unauthorized actions or compromise of the system where OpenTelemetry-Go is used, especially if the attacker can influence the environment in which the vulnerable commands run.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenTelemetry-Go to version 1.43.0 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability CVE-2026-39883 involves a PATH hijacking attack on BSD and Solaris platforms due to the use of a bare command name instead of an absolute path. This allows a local attacker to execute arbitrary code within the application context.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the vulnerability's impact on arbitrary code execution and potential unauthorized access to application data could indirectly affect compliance by compromising data integrity, confidentiality, and system security.

The fix in version 1.43.0 mitigates this risk by enforcing the use of absolute paths for system commands, reducing the risk of unauthorized code execution and helping maintain the security posture required by such regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises from the use of the kenv command without an absolute path, allowing PATH hijacking on BSD and Solaris systems when the /etc/hostid file does not exist.

To detect if your system or application is vulnerable, you can check if the OpenTelemetry-Go SDK version in use is between 1.15.0 and 1.42.0 inclusive, as these versions contain the vulnerable code.

Additionally, you can verify if the kenv command is being invoked without an absolute path by inspecting the running processes or the application code that uses OpenTelemetry-Go.

A practical command to check for the presence of a vulnerable OpenTelemetry-Go version in your Go modules is:

• go list -m all | grep go.opentelemetry.io/otel/sdk

To check if the kenv command is accessible via PATH and potentially hijackable, you can run:

• which kenv

If the output is a relative path or a user-writable directory, this indicates a risk of PATH hijacking.

You can also check if the /etc/hostid file exists, since the vulnerable code path is triggered when this file is missing:

• ls -l /etc/hostid

If the file does not exist, the vulnerable code path may be executed.

Finally, to detect if a malicious kenv binary is present earlier in the PATH, you can inspect the PATH environment variable and the directories it includes:

• echo $PATH

and check each directory for suspicious kenv binaries.

Useful 0 Not Useful 0