CVE Catalog

CVE-2026-45292

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.69%

48th percentile - higher than 48% of all known CVEs

Summary

A vulnerability in the baggage propagation implementation in opentelemetry-java before version 1.62.0 causes unbounded memory allocation and CPU consumption when parsing oversized baggage. Since baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request.

Risk Assessment

An attacker can send a malicious request with excessively large baggage, leading to resource exhaustion (memory and CPU) in the target service and subsequent services processing that baggage, potentially causing a denial of service (DoS) across the entire infrastructure.

Recommendation

Immediately update the opentelemetry-java library to version 1.62.0 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS