Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.9.2 release
The Red Hat build of OpenTelemetry 3. 9. 2 release addresses multiple security vulnerabilities including denial of service (DoS) issues in the XPath library and Go JOSE library, and an authorization bypass vulnerability in gRPC-Go. The XPath library vulnerability caused infinite loops leading to 100% CPU usage. The gRPC-Go flaw allowed attackers to bypass security policies by sending malformed HTTP/2 ':path' headers. The Go JOSE issue caused application crashes when processing malformed JSON Web Encryption objects. These vulnerabilities have been fixed in this release, improving system stability and security. No breaking changes or deprecations were introduced. A known issue affecting filesystem metrics collection remains without a workaround. No exploits are known in the wild.
AI Analysis
Technical Summary
This security advisory for Red Hat build of OpenTelemetry 3.9.2 fixes three main vulnerabilities: CVE-2026-32287 addresses a denial of service in the 'github.com/antchfx/xpath' library where specially crafted boolean XPath expressions caused infinite loops and 100% CPU utilization; CVE-2026-33186 fixes an authorization bypass in gRPC-Go due to improper validation of the HTTP/2 ':path' pseudo-header allowing attackers to bypass security policies by sending malformed ':path' headers without a leading slash; CVE-2026-34986 resolves a denial of service in the Go JOSE library where decrypting malformed JSON Web Encryption objects with empty encrypted key fields caused application crashes. The update ensures proper validation and handling to prevent these issues. There are no breaking changes or deprecations, and no known exploits in the wild. The advisory includes a known issue with filesystem metrics collection after upgrading the collector component, with no current workaround. The vendor provides official fixes in this release.
Potential Impact
The vulnerabilities fixed in this release could lead to denial of service conditions causing high CPU usage or application crashes, and an authorization bypass allowing unauthorized access or information disclosure. These issues affect components used in Red Hat OpenShift distributed tracing and related OpenTelemetry deployments. Successful exploitation could disrupt service availability or compromise security policies. However, no known exploits are reported in the wild at this time.
Mitigation Recommendations
An official fix is available in Red Hat build of OpenTelemetry 3.9.2. Users should apply this update to remediate the XPath library denial of service, gRPC-Go authorization bypass, and Go JOSE denial of service vulnerabilities. For upgrade instructions, refer to Red Hat's documentation on upgrading operators in OpenShift. No additional mitigations are required beyond applying the update. Note the known issue with filesystem scraper metrics after upgrading; monitor Red Hat's issue tracker for updates.
Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.9.2 release
Description
The Red Hat build of OpenTelemetry 3. 9. 2 release addresses multiple security vulnerabilities including denial of service (DoS) issues in the XPath library and Go JOSE library, and an authorization bypass vulnerability in gRPC-Go. The XPath library vulnerability caused infinite loops leading to 100% CPU usage. The gRPC-Go flaw allowed attackers to bypass security policies by sending malformed HTTP/2 ':path' headers. The Go JOSE issue caused application crashes when processing malformed JSON Web Encryption objects. These vulnerabilities have been fixed in this release, improving system stability and security. No breaking changes or deprecations were introduced. A known issue affecting filesystem metrics collection remains without a workaround. No exploits are known in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This security advisory for Red Hat build of OpenTelemetry 3.9.2 fixes three main vulnerabilities: CVE-2026-32287 addresses a denial of service in the 'github.com/antchfx/xpath' library where specially crafted boolean XPath expressions caused infinite loops and 100% CPU utilization; CVE-2026-33186 fixes an authorization bypass in gRPC-Go due to improper validation of the HTTP/2 ':path' pseudo-header allowing attackers to bypass security policies by sending malformed ':path' headers without a leading slash; CVE-2026-34986 resolves a denial of service in the Go JOSE library where decrypting malformed JSON Web Encryption objects with empty encrypted key fields caused application crashes. The update ensures proper validation and handling to prevent these issues. There are no breaking changes or deprecations, and no known exploits in the wild. The advisory includes a known issue with filesystem metrics collection after upgrading the collector component, with no current workaround. The vendor provides official fixes in this release.
Potential Impact
The vulnerabilities fixed in this release could lead to denial of service conditions causing high CPU usage or application crashes, and an authorization bypass allowing unauthorized access or information disclosure. These issues affect components used in Red Hat OpenShift distributed tracing and related OpenTelemetry deployments. Successful exploitation could disrupt service availability or compromise security policies. However, no known exploits are reported in the wild at this time.
Mitigation Recommendations
An official fix is available in Red Hat build of OpenTelemetry 3.9.2. Users should apply this update to remediate the XPath library denial of service, gRPC-Go authorization bypass, and Go JOSE denial of service vulnerabilities. For upgrade instructions, refer to Red Hat's documentation on upgrading operators in OpenShift. No additional mitigations are required beyond applying the update. Note the known issue with filesystem scraper metrics after upgrading; monitor Red Hat's issue tracker for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:9388
- Cve Count
- 3
- Additional Cves
- ["CVE-2026-33186","CVE-2026-34986"]
- Cvss Version
- null
Threat ID: 6a160952e29bf47b50618c91
Added to database: 5/26/2026, 8:57:54 PM
Last enriched: 5/26/2026, 8:59:39 PM
Last updated: 5/27/2026, 4:55:11 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.