CVE-2026-42191: CWE-379: Creation of Temporary File in Directory with Insecure Permissions in open-telemetry opentelemetry-dotnet
OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured. The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path. On multi-user systems where the temporary directory is accessible to other local accounts, this allows an attacker to write crafted *.blob files, read *.blob files written by the application between export failures, or deposit numerous or oversized blob files, degrading retry-loop performance or consuming disk space. This vulnerability is fixed in 1.15.3.
AI Analysis
Technical Summary
The OpenTelemetry.Exporter.OpenTelemetryProtocol component in opentelemetry-dotnet versions 1.8.0 through 1.15.2 uses the system temporary directory (Path.GetTempPath()) for storing retry blob files when the disk retry feature is enabled but no custom directory path is configured. Because the temporary directory is shared and accessible by other local users, attackers can create or read blob files, or fill the directory with large files, impacting confidentiality and availability. This is classified as CWE-379 (Creation of Temporary File in Directory with Insecure Permissions). The vulnerability is addressed in version 1.15.3.
Potential Impact
On multi-user systems, local attackers with low privileges can exploit this vulnerability to read sensitive telemetry data stored in blob files, write crafted files to interfere with the exporter's retry mechanism, or degrade service by consuming disk space. The CVSS 3.1 score is 6.5 (medium severity), reflecting high confidentiality and integrity impact with limited attack vector (local) and higher attack complexity.
Mitigation Recommendations
Upgrade opentelemetry-dotnet to version 1.15.3 or later, where this vulnerability is fixed by avoiding insecure use of the shared temporary directory for blob files. Until upgraded, consider configuring a secure, dedicated directory for OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH to restrict access. Patch status is not explicitly stated in the vendor advisory, but the fix is included in version 1.15.3.
CVE-2026-42191: CWE-379: Creation of Temporary File in Directory with Insecure Permissions in open-telemetry opentelemetry-dotnet
Description
OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured. The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path. On multi-user systems where the temporary directory is accessible to other local accounts, this allows an attacker to write crafted *.blob files, read *.blob files written by the application between export failures, or deposit numerous or oversized blob files, degrading retry-loop performance or consuming disk space. This vulnerability is fixed in 1.15.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The OpenTelemetry.Exporter.OpenTelemetryProtocol component in opentelemetry-dotnet versions 1.8.0 through 1.15.2 uses the system temporary directory (Path.GetTempPath()) for storing retry blob files when the disk retry feature is enabled but no custom directory path is configured. Because the temporary directory is shared and accessible by other local users, attackers can create or read blob files, or fill the directory with large files, impacting confidentiality and availability. This is classified as CWE-379 (Creation of Temporary File in Directory with Insecure Permissions). The vulnerability is addressed in version 1.15.3.
Potential Impact
On multi-user systems, local attackers with low privileges can exploit this vulnerability to read sensitive telemetry data stored in blob files, write crafted files to interfere with the exporter's retry mechanism, or degrade service by consuming disk space. The CVSS 3.1 score is 6.5 (medium severity), reflecting high confidentiality and integrity impact with limited attack vector (local) and higher attack complexity.
Mitigation Recommendations
Upgrade opentelemetry-dotnet to version 1.15.3 or later, where this vulnerability is fixed by avoiding insecure use of the shared temporary directory for blob files. Until upgraded, consider configuring a secure, dedicated directory for OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH to restrict access. Patch status is not explicitly stated in the vendor advisory, but the fix is included in version 1.15.3.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T01:53:21.583Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a03813ccbff5d861012f65d
Added to database: 5/12/2026, 7:36:28 PM
Last enriched: 5/12/2026, 8:08:19 PM
Last updated: 5/13/2026, 5:00:36 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.