{"data":{"id":"4fc9f126-b037-4115-a689-313eac4e47e8","title":"GHSA-4jvg-4jfx-fmhc: opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token","summary":"The Sentry exporter in opentelemetry-collector-contrib has a path traversal vulnerability (a type of attack where an attacker manipulates file paths to access unintended locations) because it builds Sentry API URLs by directly inserting the service.name attribute, which remote attackers can control, without checking if it's valid. Since the operator's bearer token (a credential that proves the operator's identity) is automatically added to every request, an attacker can craft a malicious service.name to reach privileged Sentry admin and organization endpoints that they shouldn't have access to.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-4jvg-4jfx-fmhc","publishedAt":"2026-06-18T15:04:10.000Z","cveId":"CVE-2026-47256","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["github.com/open-telemetry/opentelemetry-collector-contrib/exporter/sentryexporter@< 0.154.0 (fixed: 0.154.0)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry","Sentry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-18T15:04:10.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":["AML.T0010"]}}