OpenTelemetry Go, DoS via Baggage Header Parsing, CVE-2026-41178 (medium) -DC-May2026-12

Listen to this Post

How CVE-2026-41178 Works

The vulnerability exists in the baggage header parsing logic of the OpenTelemetry Go SDK. The issue was introduced when commit 7880 removed two critical safety checks.
First, the commit removed an upfront length check on the raw baggage string (bStr). Previously, this check would reject excessively long headers early in the parsing process. Second, it removed a per-member size guard during parsing.
With these checks removed, the `Parse` function now uses `strings.SplitSeq` to iterate through the entire input, even if it is very large or malformed. It attempts to fully tokenize and percent-decode (PathUnescape) each member, while skipping invalid ones. All parsing errors are forwarded to the global error handler, which by default logs them.
An attacker can send an HTTP or gRPC request with a single, oversized or malformed `baggage` header. Because the transport layer often allows headers up to 8KB or more, this header passes through the server or proxy. The OpenTelemetry propagator then parses this header, triggering excessive CPU and memory work as it processes the entire string. The resulting log messages can be voluminous, leading to log amplification.
This creates a Denial-of-Service (DoS) risk for any instrumented service that (1) uses the default OpenTelemetry baggage propagator, (2) accepts large headers, and (3) does not suppress parse errors. The impact is limited to availability and is considered medium severity, as the attack relies on transport header limits.

DailyCVE Form:

Platform: OpenTelemetry Go
Version: 1.41.0-1.43.0
Vulnerability : DoS via baggage
Severity: medium
date: 2026-05-28

Prediction: 2026-05-28

What Undercode Say:

Check your opentelemetry-go version in go.mod
grep "go.opentelemetry.io/otel" go.mod
Alternatively, for a quick test, use this curl command
to send a malformed, oversized baggage header.
WARNING: This is for demonstration only.
curl -H "baggage: <code>python3 -c "print('A'10000)"</code>" http://your-service/metrics
Vulnerable code snippet (internal/global/internal/matchers/...)
The parseMember function in baggage/baggage.go performs PathUnescape
without any size guard, amplifying work for large inputs.

Exploit:

The exploit is simple: a remote, unauthenticated attacker sends an HTTP request containing a specially crafted `baggage` header. The header is either very large (e.g., 10,000+ characters) or malformed (e.g., invalid percent-encoding). The service’s OpenTelemetry instrumentation parses this header, leading to high CPU usage, memory consumption, and large log output, potentially causing the service to become unresponsive.

Protection:

  1. Upgrade: Update to OpenTelemetry Go SDK version `1.42.0` or `1.44.0` (or later). These versions restore the size checks.
  2. Configure error handler: Set a custom error handler that suppresses or rate-limits log messages for baggage parse errors.
  3. Enforce header limits: Configure your reverse proxy, API gateway, or load balancer to reject HTTP requests with headers exceeding a reasonable size (e.g., 8KB).

Impact:

A remote attacker can cause a Denial-of-Service (DoS) condition. The impact is limited to availability (CPU, memory, log storage) and is bounded by transport layer header limits. The severity is medium (CVSS 5.3).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top