CVE-2026-24051 is a vulnerability in the OpenTelemetry-Go SDK, specifically affecting versions from 1.21.0 up to 1.39.0 on macOS/Darwin platforms. The root cause is an untrusted search path (CWE-426) in the resource detection component located in sdk/resource/host_id.go, which executes the 'ioreg' system command without specifying its absolute path. This allows an attacker with local access and the ability to modify the PATH environment variable to influence which executable is run when the application calls 'ioreg'. By placing a malicious executable earlier in the PATH, the attacker can achieve arbitrary code execution within the context of the vulnerable application. The vulnerability requires local privileges to modify environment variables and has a high attack complexity due to the need for local access and environment manipulation. The CVSS v3.1 score is 7.0, reflecting high impact on confidentiality, integrity, and availability, but limited by the requirement for local privileges and no user interaction. No public exploits have been reported, but the risk remains significant for environments where local user controls are weak or where multiple users share systems. The issue was addressed in OpenTelemetry-Go version 1.40.0 by presumably specifying absolute paths or otherwise securing command execution.

For European organizations, the impact of CVE-2026-24051 is primarily on systems running macOS with vulnerable versions of OpenTelemetry-Go SDK. Organizations using OpenTelemetry for telemetry and observability in Go applications on macOS could face arbitrary code execution risks if an attacker gains local access and can manipulate environment variables. This could lead to unauthorized data access, system compromise, or disruption of telemetry services, potentially affecting monitoring and incident response capabilities. The vulnerability could be exploited in environments with shared workstations, developer machines, or CI/CD systems where local user controls are insufficient. Confidentiality, integrity, and availability of telemetry data and the host system are at risk. Given the high CVSS score, the threat is significant but constrained by the need for local access and environment manipulation. European organizations with macOS-based development or monitoring infrastructure should prioritize patching to avoid lateral movement or privilege escalation scenarios.

1. Upgrade all OpenTelemetry-Go SDK instances to version 1.40.0 or later, which contains the fix for this vulnerability. 2. Enforce strict local user permissions to prevent unauthorized modification of the PATH environment variable, especially on macOS systems running vulnerable versions. 3. Implement application whitelisting or integrity monitoring to detect unauthorized changes to executables or environment configurations. 4. Use containerization or sandboxing to isolate telemetry applications and limit the impact of potential local exploits. 5. Audit and restrict local access to systems running OpenTelemetry-Go to trusted users only. 6. Monitor logs and system behavior for unusual command executions or environment variable changes. 7. Educate developers and system administrators about the risks of untrusted search paths and secure coding practices related to command execution.