CVE-2026-41433
Published: 24 April 2026
Summary
CVE-2026-41433 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely remediation through patching to version 0.8.0 or later, which fixes the unsafe TMPDIR handling and file creation semantics.
Enforces least privilege on the elevated OBI process to prevent low-privileged Java workloads from achieving arbitrary host file overwrites via filesystem boundary escape.
Restricts unnecessary Java injection functionality in OBI, eliminating the attack vector when the feature is not required.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows a low-privileged local attacker controlling a Java process to exploit path traversal and symlink following in a privileged OpenTelemetry eBPF agent, enabling arbitrary file overwrites on the host filesystem with high integrity/availability impact and changed scope, directly facilitating local privilege escalation.
NVD Description
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection…
more
is enabled and OBI is running with elevated privileges. The injector trusted TMPDIR from the target process and used unsafe file creation semantics, enabling both filesystem boundary escape and symlink-based file clobbering. This vulnerability is fixed in 0.8.0.
Deeper analysisAI
CVE-2026-41433 affects OpenTelemetry eBPF Instrumentation, an eBPF-based tool for instrumentation adhering to the OpenTelemetry standard. Versions from 0.4.0 up to but not including 0.8.0 contain a flaw in the Java agent injection path. This vulnerability arises because the injector trusts the TMPDIR environment variable from the target Java process and employs unsafe file creation semantics, permitting filesystem boundary escapes and symlink-based file clobbering. It has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H) and is associated with CWE-22 (Path Traversal) and CWE-59 (Symbolic Link Following).
A local attacker with low privileges (PR:L) who controls a Java workload can exploit this issue when Java injection is enabled and the OpenTelemetry eBPF Instrumentation (OBI) runs with elevated privileges on the host. By manipulating TMPDIR, the attacker can overwrite arbitrary files on the host filesystem, achieving high impact on integrity (I:H) and availability (A:H) with a changed scope (S:C). No user interaction is required (UI:N), and the low attack complexity (AC:L) makes exploitation straightforward in containerized or multi-tenant environments where Java applications run alongside privileged monitoring agents.
The vulnerability is addressed in version 0.8.0 of OpenTelemetry eBPF Instrumentation, as detailed in the project's release notes and GitHub security advisory GHSA-8gmg-3w2q-65f4. Security practitioners should upgrade to 0.8.0 or later, disable Java injection if unnecessary, and ensure OBI does not run with excessive privileges. Review of host filesystem access controls and monitoring for suspicious file modifications in temporary directories is also recommended.
Details
- CWE(s)