CVE-2026-24051 is a vulnerability classified under CWE-426 (Untrusted Search Path) found in the OpenTelemetry-Go SDK, specifically in versions from 1.21.0 up to 1.39.0. The flaw exists in the resource detection component (sdk/resource/host_id.go), which executes the 'ioreg' system command on macOS/Darwin platforms without specifying an absolute path. This allows the system to resolve the command based on the PATH environment variable. If an attacker has the ability to locally modify the PATH variable, they can insert a malicious executable named 'ioreg' earlier in the search path. Consequently, when the OpenTelemetry-Go SDK runs this command, it executes the attacker's code instead of the legitimate system utility. This leads to arbitrary code execution within the context of the vulnerable application. The vulnerability requires local access and limited privileges but does not require user interaction. The CVSS v3.1 score is 7.0 (high), reflecting the significant impact on confidentiality, integrity, and availability, combined with the complexity of exploitation due to the need for local access and control over environment variables. No public exploits have been reported yet, but the risk remains substantial given the widespread use of OpenTelemetry in observability and monitoring solutions. The issue was resolved in version 1.40.0 by likely specifying absolute paths or otherwise securing command execution to prevent path hijacking.

For European organizations, the impact of CVE-2026-24051 can be significant, especially those relying on OpenTelemetry-Go for telemetry data collection and monitoring on macOS systems. Successful exploitation could allow attackers with local access to execute arbitrary code, potentially leading to data breaches, manipulation of telemetry data, or disruption of monitoring infrastructure. This could undermine incident detection and response capabilities, affecting operational continuity and compliance with data protection regulations such as GDPR. Organizations in sectors with high security requirements—such as finance, healthcare, and critical infrastructure—may face increased risk due to the potential for lateral movement and privilege escalation within their environments. Additionally, the vulnerability could be leveraged in targeted attacks where adversaries have gained initial footholds on macOS endpoints. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities post-disclosure.

European organizations should immediately upgrade all OpenTelemetry-Go SDK instances on macOS systems to version 1.40.0 or later, where the vulnerability is patched. Until upgrades are complete, restrict the ability of users and processes to modify the PATH environment variable, especially in contexts where OpenTelemetry-Go is executed. Implement strict local access controls and monitoring to detect unauthorized environment changes or suspicious execution of commands named 'ioreg'. Employ application whitelisting and endpoint protection solutions that can detect anomalous process execution. Review and harden deployment environments to minimize local privilege escalation opportunities. Additionally, consider containerizing telemetry agents with locked-down environments to prevent PATH manipulation. Regularly audit telemetry infrastructure and logs for signs of compromise or unusual behavior. Finally, maintain an inventory of affected software versions to ensure comprehensive remediation.