Listen to this Post
How this CVE Works
The vulnerability exists in OBI’s Redis error-handling pipeline. In the `pkg/ebpf/common/redis_detect_transform.go` file, the `getRedisError` function trims the raw error buffer and stores it directly into `request.DBError.Description` without any sanitization beyond basic CRLF removal. Later, in pkg/appolly/app/request/span.go, this description is returned as the exported status message for Redis spans whenever the span status is non-zero. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis systems. By sending a specially crafted Redis command that generates an error containing arbitrary text, an attacker can cause that text to be exported as part of the OTLP span status message. There is no opt-in control or additional sanitization, making this a default behavior that exposes internal tracing systems to information disclosure and injection attacks.
DailyCVE Form
Platform: OpenTelemetry eBPF (OBI)
Version: v0.0.0-rc.1+build
Vulnerability: Info disclosure via errors
Severity: Moderate (CVSS 5.3)
date: 2026‑05‑18
Prediction: Patch available in v0.8.0
What Undercode Say: Analytics
Check if your OBI version is vulnerable obi --version | grep "v0.0.0-rc.1+build" Simulate the data leak by sending a malicious Redis command redis-cli -p 6379 'NOTACMD my-secret-token-123' Inspect the raw OTLP telemetry output for leaked secrets grep "my-secret-token-123" /var/log/obi/telemetry.log
Exploit
Send a Redis command that triggers an error containing arbitrary sensitive data. The raw error text, including the supplied secret, is automatically captured and exported as the span status message in OTLP traces, exfiltrating the secret to any connected telemetry backend.
Protection from this CVE
Update OBI to a patched version (v0.8.0 or later). If patching is not immediately possible, manually sanitize all Redis error messages before they reach OBI or disable Redis tracing until a fix can be applied.
Impact
Information disclosure and telemetry injection. Sensitive values, tokens, or PII present in Redis error text can be exfiltrated into telemetry systems, and untrusted text can contaminate downstream analysis tools that rely on these spans.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

