GHSA-2jc5-xhx8-qj6h: fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry`
The fluent-plugin-opentelemetry's in_opentelemetry HTTP input lacks strict size limits on incoming requests, allowing attackers to send excessively large or highly compressed payloads. This can cause the plugin to consume excessive memory during decompression, leading to a Denial of Service (DoS) by exhausting system resources and potentially crashing the Fluentd process. The vulnerability affects versions prior to 0.5.3. Mitigations include restricting network access to trusted sources and using a reverse proxy to enforce size limits and handle decompression. An official patch is available in version 0.5.3.
AI Analysis
Technical Summary
The fluent-plugin-opentelemetry plugin's in_opentelemetry HTTP input does not enforce maximum size thresholds on incoming request bodies. It reads and decompresses the entire payload into memory without limits, enabling an attacker to send large or maliciously compressed requests that expand to excessive sizes. This results in rapid memory consumption that can cause the Fluentd process to be terminated by the operating system, disrupting log collection and forwarding. The vulnerability is identified as CVE-2026-44163 and affects versions before 0.5.3. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling).
Potential Impact
This vulnerability allows an unauthenticated attacker to cause a Denial of Service (DoS) by exhausting memory resources on the affected system. The Fluentd process may be killed by the operating system due to out-of-memory conditions, resulting in loss of log collection and forwarding capabilities on the affected node. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
An official patch is available in version 0.5.3; upgrading to this version or later fully mitigates the vulnerability. If immediate upgrade is not possible, users should restrict network access to the OpenTelemetry ingestion port (default 4318) to trusted networks only, using firewall rules or security groups. Additionally, deploying a reverse proxy such as Nginx in front of Fluentd to handle gzip decompression and enforce strict limits on both compressed and uncompressed request body sizes is recommended to prevent exploitation.
GHSA-2jc5-xhx8-qj6h: fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry`
Description
The fluent-plugin-opentelemetry's in_opentelemetry HTTP input lacks strict size limits on incoming requests, allowing attackers to send excessively large or highly compressed payloads. This can cause the plugin to consume excessive memory during decompression, leading to a Denial of Service (DoS) by exhausting system resources and potentially crashing the Fluentd process. The vulnerability affects versions prior to 0.5.3. Mitigations include restricting network access to trusted sources and using a reverse proxy to enforce size limits and handle decompression. An official patch is available in version 0.5.3.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The fluent-plugin-opentelemetry plugin's in_opentelemetry HTTP input does not enforce maximum size thresholds on incoming request bodies. It reads and decompresses the entire payload into memory without limits, enabling an attacker to send large or maliciously compressed requests that expand to excessive sizes. This results in rapid memory consumption that can cause the Fluentd process to be terminated by the operating system, disrupting log collection and forwarding. The vulnerability is identified as CVE-2026-44163 and affects versions before 0.5.3. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling).
Potential Impact
This vulnerability allows an unauthenticated attacker to cause a Denial of Service (DoS) by exhausting memory resources on the affected system. The Fluentd process may be killed by the operating system due to out-of-memory conditions, resulting in loss of log collection and forwarding capabilities on the affected node. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
An official patch is available in version 0.5.3; upgrading to this version or later fully mitigates the vulnerability. If immediate upgrade is not possible, users should restrict network access to the OpenTelemetry ingestion port (default 4318) to trusted networks only, using firewall rules or security groups. Additionally, deploying a reverse proxy such as Nginx in front of Fluentd to handle gzip decompression and enforce strict limits on both compressed and uncompressed request body sizes is recommended to prevent exploitation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-2jc5-xhx8-qj6h
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-44163"]
- Ecosystems
- ["RubyGems"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a3ef79427e9c79719ff7c07
Added to database: 06/26/2026, 22:05:08 UTC
Last enriched: 06/26/2026, 22:18:56 UTC
Last updated: 06/26/2026, 22:18:56 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.