Cyber Resilience

CVE-2026-29181

HighPublic PoCDDoS

Published: 07 April 2026

Published
07 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 23.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29181 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Opentelemetry Opentelemetry. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-29181 is a denial-of-service vulnerability in OpenTelemetry-Go, the Go implementation of OpenTelemetry, affecting versions 1.36.0 through 1.40.0. The issue stems from the multi-value baggage header extraction mechanism, which parses each header field-value independently and aggregates members across multiple values. This allows attackers to amplify CPU usage and memory allocations by sending numerous baggage header lines, even when each individual value remains within the 8192-byte per-value parse limit. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any unauthenticated attacker with network access to a service using the affected OpenTelemetry-Go library can exploit this vulnerability by crafting and sending HTTP requests with many baggage header lines. Exploitation requires low complexity and no user interaction, enabling remote denial of service through resource exhaustion, specifically high-impact availability disruption via excessive CPU and allocation demands, while confidentiality and integrity remain unaffected.

The vulnerability is addressed in OpenTelemetry-Go version 1.41.0. Practitioners should consult the security advisory at https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475 for patch details, upgrade instructions, and additional mitigation recommendations.

EU & UK References

Vulnerability details

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines,…

more

even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote exploitation of public-facing apps (T1190) via crafted HTTP baggage headers, directly resulting in application-level resource exhaustion DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40395Shared CWE-770
CVE-2026-28461Shared CWE-770
CVE-2020-37067Shared CWE-770
CVE-2025-1257Shared CWE-770
CVE-2025-24312Shared CWE-770
CVE-2026-5439Shared CWE-770
CVE-2026-30946Shared CWE-770
CVE-2026-20103Shared CWE-770
CVE-2026-32011Shared CWE-770
CVE-2026-1848Shared CWE-770

Affected Assets

opentelemetry
opentelemetry
1.36.0 — 1.41.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 ensures timely flaw remediation by requiring patching of known vulnerabilities like CVE-2026-29181 in OpenTelemetry-Go versions 1.36.0-1.40.0.

prevent

SC-5 implements denial-of-service protections at system boundaries to block resource exhaustion attacks from excessive baggage headers.

prevent

SC-6 enforces resource allocation limits and prioritization to prevent CPU and memory depletion from aggregated baggage header parsing.

References