CVE-2026-54704
Received Received - Intake

JDBC Password Leak in OpenTelemetry Java Instrumentation

Vulnerability report for CVE-2026-54704, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends. This issue has been fixed in version 2.28.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry java_instrumentation to 2.28.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenTelemetry Java Instrumentation versions prior to 2.28.0. The JDBC auto-instrumentation feature may fail to properly sanitize passwords in SQL CONNECT statements when the password is enclosed in double quotes. Because of this, clear-text database passwords can be captured and added to trace span attributes, which are then exported to observability backends.

Impact Analysis

The impact of this vulnerability is that sensitive database passwords can be exposed in clear text within trace data sent to observability backends. This exposure can lead to unauthorized access to database credentials if the trace data is accessed by malicious actors or improperly secured, potentially compromising database security.

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenTelemetry Java Instrumentation to version 2.28.0 or later, where the issue with password sanitization in JDBC auto-instrumentation has been fixed.

Compliance Impact

This vulnerability causes clear-text database passwords to be included in trace span attributes and exported to observability backends. Such exposure of sensitive authentication credentials can lead to unauthorized access risks and potential data breaches.

Because sensitive information like passwords is exposed, this issue may negatively impact compliance with standards and regulations such as GDPR and HIPAA, which require protection of sensitive data and credentials to ensure confidentiality and prevent unauthorized disclosure.

Organizations using affected versions prior to 2.28.0 should upgrade to the fixed version to mitigate this risk and maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart