CVE-2026-42191
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2026-05-12

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured. The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path. On multi-user systems where the temporary directory is accessible to other local accounts, this allows an attacker to write crafted *.blob files, read *.blob files written by the application between export failures, or deposit numerous or oversized blob files, degrading retry-loop performance or consuming disk space. This vulnerability is fixed in 1.15.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-26
Generated
2026-06-10
EPSS Evaluated
2026-06-08
NVD
CVE-2026-42191
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry opentelemetry.exporter.opentelemetryprotocol From 1.8.0 (inc) to 1.15.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-379 The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
AI Quick Actions have not been generated yet.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42191. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart