{"data":{"id":"655324a8-65b4-460f-8d4d-ef3c79d4cc16","title":"GHSA-w5cv-pw74-4rxc: opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication","summary":"The githubreceiver component in opentelemetry-collector-contrib has a security flaw where it validates the `required_headers` configuration at startup but never actually checks these headers on incoming webhook requests. This means an attacker can send fake data to the webhook endpoint by bypassing the authentication headers that operators thought were protecting it, especially when the `secret` field is left empty (which skips HMAC validation entirely).","solution":"Add RequiredHeaders enforcement to `handleReq()` in `receiver/githubreceiver/trace_receiver.go`, matching the pattern used in gitlabreceiver at `receiver/gitlabreceiver/traces_receiver.go:266-270`, which validates each required header by checking if the incoming request's header value matches the configured value.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-w5cv-pw74-4rxc","publishedAt":"2026-06-18T15:05:14.000Z","cveId":"CVE-2026-55701","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["github.com/open-telemetry/opentelemetry-collector-contrib/receiver/githubreceiver@<= 0.150.0 (fixed: 0.151.0)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry","opentelemetry-collector-contrib"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-18T15:05:14.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":["AML.T0010"]}}