This page collects WhisperX intelligence signals tagged #OpenTelemetry. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
OpenBao 项目的 `release/2.4.x` 分支代码中,发现一处由上游依赖引入的高危安全漏洞(GO-2026-4394)。该漏洞源于 Go 语言的 OpenTelemetry SDK(go.opentelemetry.io/otel/sdk),存在通过 PATH 环境变量劫持实现任意代码执行的风险。安全扫描工具 govulncheck 已标记此漏洞在代码库中为“可触达”(REACHABLE)状态,表明攻击路径存在。 漏洞直接影响 OpenBao 的多个核心功能模块。受影响的代码位置包括 PKI 证书管理(`acme_errors.go`, `pki_cluster.go`)、服务端与代理端主程序(`agent.go`,...
OpenBao 项目的一个关键发布分支被曝存在一个可被利用的高危安全漏洞。在 `openbao/openbao` 代码库的 `release/2.4.x` 分支中,自动化安全扫描工具 govulncheck 检测到编号为 GO-2026-4394 的漏洞,其状态被标记为“可被利用”。该漏洞的根源在于项目依赖的 OpenTelemetry Go SDK 组件,具体涉及 `go.opentelemetry.io/otel/sdk` 等多个相关模块,攻击者可能通过 PATH 环境变量劫持实现任意代码执行。 漏洞直接影响 OpenBao 的多个核心依赖项,包括 `github.com/docker/docker`、`google.gola...
A high-severity vulnerability has been identified within the `getsentry/opentelemetry-js` repository, a key component of Sentry's observability stack. The flaw, tracked under the weakness identifier `ssc-7655e34f-47d3-43f6-b687-32e02f3c8005`, is assessed as 'Conditionally Reachable,' indicating a significant but not un...
OpenBao 项目的一个关键发布分支中,发现了一个可被利用的高危安全漏洞。安全扫描工具 govulncheck 在 `openbao/openbao` 仓库的 `release/2.4.x` 分支中,标记了编号为 GO-2026-4394 的漏洞,其状态为“可被利用”。该漏洞的根源在于项目依赖的 OpenTelemetry Go SDK (`go.opentelemetry.io/otel/sdk`) 存在缺陷,攻击者可能通过 PATH 环境变量劫持实现任意代码执行。 漏洞涉及多个核心依赖,包括 `github.com/docker/docker`、`google.golang.org/grpc`、`k8s.io/client-...
A high-severity security violation has been flagged within a major McKinsey & Company project. The JFrog Xray security scan for the 'agents-at-scale-ark' repository detected CVE-2026-39883, a vulnerability in the OpenTelemetry-Go library that could allow for PATH hijacking attacks on BSD and Solaris platforms. The find...
OpenTelemetry-Go 项目在修复一个早期漏洞时,无意中为 BSD 和 Solaris 系统留下了一个新的安全后门。该漏洞(CVE-2026-39883)被评定为高风险,源于开发者在修复 CVE-2026-24051 时的不一致性。具体而言,修复程序为 Darwin 系统的 `ioreg` 命令使用了绝对路径,但却让 BSD 系统的 `kenv` 命令继续使用相对路径,这使得攻击者可以通过操纵系统 PATH 环境变量,在受影响系统上执行任意代码。 此漏洞影响了 OpenTelemetry-Go 从 1.15.0 到 1.42.0 的所有版本。问题代码存在于项目的多个分支中,包括 `release-1.17`。该漏洞的发现...
OpenTelemetry Go SDK 发布关键安全更新,修复了一个影响 BSD 和 Solaris 平台的 PATH 环境变量劫持漏洞。该漏洞被追踪为 CVE-2026-39883,源于对先前一个类似 Darwin 系统漏洞(CVE-2026-24051)的不完整修复。攻击者可能通过控制系统的 PATH 环境变量,诱使 SDK 执行恶意程序,从而获取主机标识符等敏感信息。 漏洞根源于 `sdk/resource/host_id.go` 文件第 42 行的代码逻辑。在修复 Darwin 系统的 `ioreg` 命令调用时,开发者将其改为使用绝对路径以防止 PATH 劫持。然而,在同一文件中,用于 BSD 和 Solaris 系统...
A security vulnerability in the OpenTelemetry-Go library exposes applications to potential denial-of-service attacks through crafted baggage headers. The flaw (CVE-2026-29181, tracked as GHSA-mh2q-q3fh-2475) allows remote attackers to trigger excessive memory allocations by sending specially constructed multi-value bag...
Security researchers have identified a high-severity command injection vulnerability in the getsentry/opentelemetry-js repository, specifically within the .github/workflows/changelog.yml file. The flaw stems from a run-shell-injection weakness in the GitHub Actions workflow configuration, posing risks of unauthorized c...
A critical security vulnerability has been identified in the OpenTelemetry JavaScript Prometheus exporter, potentially allowing remote attackers to crash affected processes by sending specially crafted HTTP requests. The flaw, tracked as CVE-2026-44902 and documented under GHSA-q7rr-3cgh-j5r3, specifically affects the ...