Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

opentelemetry-java-instrumentation

Source -

ADPCNA

CNA CVEs -

4

ADP CVEs -

1

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
4Vulnerabilities found

CVE-2026-54712
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 17.81%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 21:17
Updated-06 Jul, 2026 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenTelemetry Javaagent RMI context propagation allows resource exhaustion

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload. This can cause excessive memory allocation while the JVM reads the payload, potentially leading to denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable. This issue has been fixed in version 2.27.0.

Action-Not Available
Vendor-open-telemetryThe Linux Foundation
Product-opentelemetry_instrumentation_for_javaopentelemetry-java-instrumentation
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-54704
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 12.96%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 21:15
Updated-06 Jul, 2026 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenTelemetry Java Instrumentation: JDBC Auto-Instrumentation Logging Clear-Text Passwords

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends. This issue has been fixed in version 2.28.0.

Action-Not Available
Vendor-open-telemetryThe Linux Foundation
Product-opentelemetry_instrumentation_for_javaopentelemetry-java-instrumentation
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2026-33701
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.93% / 56.75%
||
7 Day CHG~0.00%
Published-27 Mar, 2026 | 00:01
Updated-15 Jul, 2026 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.

Action-Not Available
Vendor-open-telemetryRed Hat, Inc.The Linux Foundation
Product-opentelemetry_instrumentation_for_javaopentelemetry-java-instrumentationRed Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 8
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-39951
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.67% / 47.95%
||
7 Day CHG~0.00%
Published-08 Aug, 2023 | 21:02
Updated-03 Oct, 2024 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Instrumentation for AWS SDK v2 captures email content when using Amazon Simple Email Service (SES) v1 API, exposing that content to the telemetry backend

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. OpenTelemetry Java Instrumentation prior to version 1.28.0 contains an issue related to the instrumentation of Java applications using the AWS SDK v2 with Amazon Simple Email Service (SES) v1 API. When SES POST requests are instrumented, the query parameters of the request are inserted into the trace `url.path` field. This behavior leads to the http body, containing the email subject and message, to be present in the trace request url metadata. Any user using a version before 1.28.0 of OpenTelemetry Java Instrumentation to instrument AWS SDK v2 call to SES’s v1 SendEmail API is affected. The e-mail content sent to SES may end up in telemetry backend. This exposes the e-mail content to unintended audiences. The issue can be mitigated by updating OpenTelemetry Java Instrumentation to version 1.28.0 or later.

Action-Not Available
Vendor-open-telemetryopentelemetryThe Linux Foundation
Product-opentelemetry_instrumentation_for_javaopentelemetry-java-instrumentationopentelemetry-java-instrumentation
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor