{"data":{"id":"41c3e32d-faa4-4dfa-807f-7dbf5ca3a9a3","title":"GHSA-w2jh-77fq-7gp8: OpAMP client reads unbounded HTTP response bodies","summary":"The OpAMP client (a component for managing telemetry agents) reads HTTP responses without limiting how much data it accepts, which could allow an attacker controlling the server to send extremely large responses and exhaust the application's memory, causing it to crash. This vulnerability only affects applications where the OpAMP server is untrusted or could be intercepted by a network attacker.","solution":"Update to the patched version: pull request #4116 updates the OpAMP client HTTP transport to limit the maximum size of responses to 128KB, preventing unbounded memory consumption.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-w2jh-77fq-7gp8","publishedAt":"2026-05-05T21:57:54.000Z","cveId":"CVE-2026-42348","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["OpenTelemetry.OpAmp.Client@< 0.2.0-alpha.1 (fixed: 0.2.0-alpha.1)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-05T21:57:54.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}