CVE-2026-45292: CWE-770: Allocation of Resources Without Limits or Throttling in open-telemetry opentelemetry-java
opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0.
AI Analysis
Technical Summary
CVE-2026-45292 is a resource exhaustion vulnerability in the opentelemetry-java project, specifically in the baggage propagation components of opentelemetry-api and opentelemetry-extension-trace-propagators. When processing oversized baggage, the implementation allocates resources without limits or throttling, leading to unbounded memory and CPU consumption. Since baggage is automatically re-injected into outgoing requests, the impact can cascade to downstream services that did not receive the original malicious request. The vulnerability affects all versions prior to 1.62.0 and has a CVSS v3.1 base score of 5.3 (medium severity).
Potential Impact
The vulnerability can cause denial of service conditions through excessive memory and CPU usage when processing oversized baggage in telemetry data. This resource exhaustion can propagate to downstream services, potentially amplifying the impact. There is no impact on confidentiality or integrity reported, only availability is affected.
Mitigation Recommendations
A fix for this vulnerability is available in opentelemetry-java version 1.62.0. Users should upgrade to version 1.62.0 or later to remediate this issue. Patch status is not explicitly stated in the vendor advisory content, but the description confirms the vulnerability is fixed in 1.62.0. Until upgraded, users should consider limiting the size of baggage or applying custom throttling if possible.
CVE-2026-45292: CWE-770: Allocation of Resources Without Limits or Throttling in open-telemetry opentelemetry-java
Description
opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45292 is a resource exhaustion vulnerability in the opentelemetry-java project, specifically in the baggage propagation components of opentelemetry-api and opentelemetry-extension-trace-propagators. When processing oversized baggage, the implementation allocates resources without limits or throttling, leading to unbounded memory and CPU consumption. Since baggage is automatically re-injected into outgoing requests, the impact can cascade to downstream services that did not receive the original malicious request. The vulnerability affects all versions prior to 1.62.0 and has a CVSS v3.1 base score of 5.3 (medium severity).
Potential Impact
The vulnerability can cause denial of service conditions through excessive memory and CPU usage when processing oversized baggage in telemetry data. This resource exhaustion can propagate to downstream services, potentially amplifying the impact. There is no impact on confidentiality or integrity reported, only availability is affected.
Mitigation Recommendations
A fix for this vulnerability is available in opentelemetry-java version 1.62.0. Users should upgrade to version 1.62.0 or later to remediate this issue. Patch status is not explicitly stated in the vendor advisory content, but the description confirms the vulnerability is fixed in 1.62.0. Until upgraded, users should consider limiting the size of baggage or applying custom throttling if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T20:14:43.201Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1871ece29bf47b5012458d
Added to database: 5/28/2026, 4:48:44 PM
Last enriched: 5/28/2026, 5:04:50 PM
Last updated: 5/29/2026, 9:55:56 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.