CVE Catalog

CVE-2026-44967

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

OpenTelemetry-cpp prior to version 1.27.0 has a vulnerability where the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This can lead to memory exhaustion when the configured collector endpoint is attacker-controlled.

Risk Assessment

The organization may be exposed to attacks leading to memory exhaustion, potentially resulting in service or system outages. Attackers could exploit this vulnerability to take control of the exporter connection.

Recommendation

It is recommended to upgrade to opentelemetry-cpp version 1.27.0 or later to mitigate this vulnerability. Additionally, verify the configuration of collector endpoints to ensure they are not controlled by unauthorized entities.

Original NVD description (English source)

OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS