CVE-2026-48504
Received Received - Intake

Denial of Service in OpenTelemetry Rust SDK

Vulnerability report for CVE-2026-48504, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

OpenTelemetry Rust is the Rust OpenTelemetry implementation. In 0.32.0 and earlier, BaggagePropagator::extract_with_context in opentelemetry_sdk did not enforce W3C Baggage size limits before parsing an inbound baggage header, so a large attacker-controlled header could cause unnecessary CPU work and short-lived heap allocations while parsing entries later discarded by the SDK's baggage storage limits. Services that accept untrusted inbound propagation headers may experience increased per-request resource usage when processing oversized baggage headers. This issue is fixed in version 0.32.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
opentelemetry opentelemetry_rust 0.32.1
opentelemetry opentelemetry_rust to 0.32.1 (exc)
open_telemetry opentelemetry_rust to 0.32.1 (exc)
open_telemetry opentelemetry_sdk to 0.32.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

OpenTelemetry Rust versions 0.32.0 and earlier have a flaw in BaggagePropagator::extract_with_context where W3C Baggage size limits are not enforced before parsing inbound baggage headers. This allows large attacker-controlled headers to cause unnecessary CPU usage and short-lived heap allocations during parsing, even if the SDK later discards entries due to its own baggage storage limits.

Detection Guidance

Detecting this vulnerability requires checking if your OpenTelemetry Rust SDK version is 0.32.0 or earlier. Run: cargo show opentelemetry_sdk to verify the version. Monitor for unusual CPU or memory spikes during request processing, which may indicate oversized baggage headers.

Impact Analysis

If you use a vulnerable version of OpenTelemetry Rust and your service accepts untrusted inbound propagation headers, an attacker could send oversized baggage headers to increase per-request resource usage. This may lead to degraded performance or temporary resource exhaustion on your system.

Compliance Impact

This vulnerability primarily impacts availability by causing unnecessary resource usage during processing of oversized baggage headers, which could contribute to denial-of-service risks. It does not expose or modify data, so direct impacts on GDPR or HIPAA compliance are unlikely unless service disruption affects regulated operations.

Mitigation Strategies

Upgrade the OpenTelemetry Rust SDK to version 0.32.1 or later. If immediate upgrade is not possible, implement input validation to reject oversized baggage headers at the network or application level.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48504. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart