Compliance Impact

This vulnerability can lead to the exfiltration of sensitive information such as tokens, personally identifiable information (PII), or other confidential input into telemetry backends. Because regulations like GDPR and HIPAA require strict protection of sensitive and personal data, the unauthorized disclosure of such information through telemetry systems can result in non-compliance with these standards.

Additionally, the injection of untrusted text into downstream analysis systems can compromise data integrity, which is also a critical aspect of compliance frameworks. Therefore, organizations using vulnerable versions of OpenTelemetry eBPF Instrumentation may face increased risk of violating data protection and privacy regulations.

Updating to version 0.9.0 or later, which patches this issue, is necessary to mitigate these compliance risks.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-45679 affects the OpenTelemetry eBPF Instrumentation (OBI) project versions before 0.9.0. The vulnerability arises because OBI exports raw Redis error text directly as span status messages without proper sanitization.

Since Redis error replies can contain attacker-controlled or sensitive information, this behavior can lead to the exposure of confidential data such as tokens or personally identifiable information (PII). Additionally, it allows injection of untrusted text into telemetry backends and downstream analysis systems.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by enabling the exfiltration of sensitive data, including tokens and PII, through telemetry systems.

It also risks contaminating downstream analysis systems with untrusted or malicious text, potentially compromising the integrity of telemetry data.

The vulnerability can be exploited remotely over the network without requiring privileges or user interaction, making it a moderate security risk.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should update the OpenTelemetry eBPF Instrumentation (OBI) to version 0.9.0 or later.

This update prevents the export of raw Redis error text as span status messages, thereby avoiding the exfiltration of sensitive information and injection of untrusted text into telemetry backends.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the OpenTelemetry eBPF Instrumentation (OBI) exporting raw Redis error text as span status messages, which may contain sensitive or attacker-controlled data. To detect this vulnerability on your system, you should check the version of the OpenTelemetry eBPF Instrumentation installed and inspect telemetry data for raw Redis error messages.

• Verify the installed version of OpenTelemetry eBPF Instrumentation to ensure it is version 0.9.0 or later, as versions before 0.9.0 are vulnerable.
• Search your telemetry backend or logs for span status messages containing raw Redis error texts that may include sensitive or unexpected data.
• Example command to check the installed version (assuming a Linux environment and that the instrumentation is installed as a package): dpkg -l | grep opentelemetry-ebpf-instrumentation or rpm -qa | grep opentelemetry-ebpf-instrumentation
• Example command to search logs or telemetry data for Redis error messages: grep -i 'redis error' /path/to/telemetry/logs or use a query in your telemetry backend to filter span status messages containing Redis error text.

Useful 0 Not Useful 0