Cyber Resilience

CVE-2026-41433

HighPublic PoC

Published: 24 April 2026

Published
24 April 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
EPSS Score 0.0019 9.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41433 is a high-severity Path Traversal (CWE-22) vulnerability in Opentelemetry Opentelemetry Ebpf Instrumentation. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-41433 affects OpenTelemetry eBPF Instrumentation, an eBPF-based tool for instrumentation adhering to the OpenTelemetry standard. Versions from 0.4.0 up to but not including 0.8.0 contain a flaw in the Java agent injection path. This vulnerability arises because the injector trusts the TMPDIR environment variable from the target Java process and employs unsafe file creation semantics, permitting filesystem boundary escapes and symlink-based file clobbering. It has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H) and is associated with CWE-22 (Path Traversal) and CWE-59 (Symbolic Link Following).

A local attacker with low privileges (PR:L) who controls a Java workload can exploit this issue when Java injection is enabled and the OpenTelemetry eBPF Instrumentation (OBI) runs with elevated privileges on the host. By manipulating TMPDIR, the attacker can overwrite arbitrary files on the host filesystem, achieving high impact on integrity (I:H) and availability (A:H) with a changed scope (S:C). No user interaction is required (UI:N), and the low attack complexity (AC:L) makes exploitation straightforward in containerized or multi-tenant environments where Java applications run alongside privileged monitoring agents.

The vulnerability is addressed in version 0.8.0 of OpenTelemetry eBPF Instrumentation, as detailed in the project's release notes and GitHub security advisory GHSA-8gmg-3w2q-65f4. Security practitioners should upgrade to 0.8.0 or later, disable Java injection if unnecessary, and ensure OBI does not run with excessive privileges. Review of host filesystem access controls and monitoring for suspicious file modifications in temporary directories is also recommended.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection…

more

is enabled and OBI is running with elevated privileges. The injector trusted TMPDIR from the target process and used unsafe file creation semantics, enabling both filesystem boundary escape and symlink-based file clobbering. This vulnerability is fixed in 0.8.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability allows a low-privileged local attacker controlling a Java process to exploit path traversal and symlink following in a privileged OpenTelemetry eBPF agent, enabling arbitrary file overwrites on the host filesystem with high integrity/availability impact and changed scope, directly facilitating local privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29181Same vendor: Opentelemetry
CVE-2025-15310Shared CWE-59
CVE-2025-21391Shared CWE-59
CVE-2025-43257Shared CWE-59
CVE-2025-63946Shared CWE-59
CVE-2025-41666Shared CWE-59
CVE-2025-41667Shared CWE-59
CVE-2016-20041Shared CWE-22
CVE-2025-63945Shared CWE-59
CVE-2025-66429Shared CWE-22

Affected Assets

opentelemetry
opentelemetry ebpf instrumentation
0.4.0 — 0.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely remediation through patching to version 0.8.0 or later, which fixes the unsafe TMPDIR handling and file creation semantics.

prevent

Enforces least privilege on the elevated OBI process to prevent low-privileged Java workloads from achieving arbitrary host file overwrites via filesystem boundary escape.

prevent

Restricts unnecessary Java injection functionality in OBI, eliminating the attack vector when the feature is not required.

References