{"data":{"id":"3c01a428-0101-4ae8-859c-086a0906a132","title":"GHSA-hfvc-g4fc-pqhx: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking","summary":"OpenTelemetry's Go SDK has a PATH hijacking vulnerability (PATH hijacking is when an attacker puts a malicious program in a directory that the system searches for commands, so their fake program runs instead of the real one) on BSD and Solaris systems because the `kenv` command is called by its name alone instead of its full path. An attacker with local access can place a malicious `kenv` binary in the system's PATH, which will execute with the application's permissions when OpenTelemetry initializes.","solution":"Use the absolute path `/bin/kenv` instead of the bare command name. Change line 42 in `sdk/resource/host_id.go` from `r.execCommand(\"kenv\", \"-q\", \"smbios.system.uuid\")` to `r.execCommand(\"/bin/kenv\", \"-q\", \"smbios.system.uuid\")`.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-hfvc-g4fc-pqhx","publishedAt":"2026-04-08T19:22:12.000Z","cveId":"CVE-2026-39883","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["go.opentelemetry.io/otel/sdk@>= 1.15.0, <= 1.42.0 (fixed: 1.43.0)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-08T19:22:12.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}