CVE-2026-44967
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
OpenTelemetry-cpp prior to version 1.27.0 has a vulnerability where the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This can lead to memory exhaustion when the configured collector endpoint is attacker-controlled.
Risk Assessment
The organization may be exposed to attacks leading to memory exhaustion, potentially resulting in service or system outages. Attackers could exploit this vulnerability to take control of the exporter connection.
Recommendation
It is recommended to upgrade to opentelemetry-cpp version 1.27.0 or later to mitigate this vulnerability. Additionally, verify the configuration of collector endpoints to ensure they are not controlled by unauthorized entities.
Original NVD description (English source)
OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.

