{"data":{"id":"65718249-108b-4f93-ae39-8da7aa2d31aa","title":"GHSA-q834-8qmm-v933: OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies","summary":"OpenTelemetry's OTLP exporter (a tool for sending telemetry data, which is information about how software is performing) reads error response bodies from servers with no limit on size, potentially causing memory exhaustion if an attacker controls the server or intercepts the connection. This could crash applications by filling up their available memory.","solution":"PR #7017 updates the OTLP exporter to limit response body reads to 4MiB (megabytes) in error conditions and only attempt to read the response body when OpenTelemetry error logging is enabled.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-q834-8qmm-v933","publishedAt":"2026-04-23T21:26:10.000Z","cveId":"CVE-2026-40182","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["OpenTelemetry.Exporter.OpenTelemetryProtocol@>= 1.13.1, < 1.15.2 (fixed: 1.15.2)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-23T21:26:10.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}