CVE-2026-29181
Published: 07 April 2026
Summary
CVE-2026-29181 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Opentelemetry Opentelemetry. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-29181 is a denial-of-service vulnerability in OpenTelemetry-Go, the Go implementation of OpenTelemetry, affecting versions 1.36.0 through 1.40.0. The issue stems from the multi-value baggage header extraction mechanism, which parses each header field-value independently and aggregates members across multiple values. This allows attackers to amplify CPU usage and memory allocations by sending numerous baggage header lines, even when each individual value remains within the 8192-byte per-value parse limit. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker with network access to a service using the affected OpenTelemetry-Go library can exploit this vulnerability by crafting and sending HTTP requests with many baggage header lines. Exploitation requires low complexity and no user interaction, enabling remote denial of service through resource exhaustion, specifically high-impact availability disruption via excessive CPU and allocation demands, while confidentiality and integrity remain unaffected.
The vulnerability is addressed in OpenTelemetry-Go version 1.41.0. Practitioners should consult the security advisory at https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475 for patch details, upgrade instructions, and additional mitigation recommendations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19938
Vulnerability details
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines,…
more
even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing apps (T1190) via crafted HTTP baggage headers, directly resulting in application-level resource exhaustion DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 ensures timely flaw remediation by requiring patching of known vulnerabilities like CVE-2026-29181 in OpenTelemetry-Go versions 1.36.0-1.40.0.
SC-5 implements denial-of-service protections at system boundaries to block resource exhaustion attacks from excessive baggage headers.
SC-6 enforces resource allocation limits and prioritization to prevent CPU and memory depletion from aggregated baggage header parsing.