CVE-2026-39883
Published: 08 April 2026
Summary
CVE-2026-39883 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Opentelemetry Opentelemetry. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by PATH Environment Variable (T1574.007); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20630
Vulnerability details
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking…
more
attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-426 untrusted search path in kenv invocation directly enables PATH environment variable interception for execution hijacking on BSD/Solaris.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.