OpenTelemetry eBPF Instrumentation (OBI), Information Disclosure, CVE-2026-45679 (Moderate)

Listen to this Post

How this CVE Works

The vulnerability exists in OBI’s Redis error-handling pipeline. In the `pkg/ebpf/common/redis_detect_transform.go` file, the `getRedisError` function trims the raw error buffer and stores it directly into `request.DBError.Description` without any sanitization beyond basic CRLF removal. Later, in pkg/appolly/app/request/span.go, this description is returned as the exported status message for Redis spans whenever the span status is non-zero. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis systems. By sending a specially crafted Redis command that generates an error containing arbitrary text, an attacker can cause that text to be exported as part of the OTLP span status message. There is no opt-in control or additional sanitization, making this a default behavior that exposes internal tracing systems to information disclosure and injection attacks.

DailyCVE Form

Platform: OpenTelemetry eBPF (OBI)
Version: v0.0.0-rc.1+build
Vulnerability: Info disclosure via errors
Severity: Moderate (CVSS 5.3)
date: 2026‑05‑18

Prediction: Patch available in v0.8.0

What Undercode Say: Analytics

Check if your OBI version is vulnerable
obi --version | grep "v0.0.0-rc.1+build"
Simulate the data leak by sending a malicious Redis command
redis-cli -p 6379 'NOTACMD my-secret-token-123'
Inspect the raw OTLP telemetry output for leaked secrets
grep "my-secret-token-123" /var/log/obi/telemetry.log

Exploit

Send a Redis command that triggers an error containing arbitrary sensitive data. The raw error text, including the supplied secret, is automatically captured and exported as the span status message in OTLP traces, exfiltrating the secret to any connected telemetry backend.

Protection from this CVE

Update OBI to a patched version (v0.8.0 or later). If patching is not immediately possible, manually sanitize all Redis error messages before they reach OBI or disable Redis tracing until a fix can be applied.

Impact

Information disclosure and telemetry injection. Sensitive values, tokens, or PII present in Redis error text can be exfiltrated into telemetry systems, and untrusted text can contaminate downstream analysis tools that rely on these spans.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top