NVD - CVE-2026-29181 (original) (raw)
Initial Analysis by NIST 4/14/2026 2:45:01 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration | OR *cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:* versions from (including) 1.36.0 up to (excluding) 1.41.0 | |
| Added | Reference Type | GitHub, Inc.: https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475 Types: Exploit, Vendor Advisory |
New CVE Received from GitHub, Inc. 4/07/2026 5:17:16 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0. | |
| Added | CVSS V3.1 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | |
| Added | CWE | CWE-770 | |
| Added | Reference | https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475 |