{"data":{"id":"93584346-00a1-4e8c-92dd-2e5697f3b88a","title":"GHSA-5wrp-cwcj-q835: opentelemetry-go's baggage parsing no longer caps raw header length","summary":"A removed safety check in OpenTelemetry Go's baggage parsing (the mechanism for passing contextual data between services) allows attackers to send extremely large or malformed baggage headers that consume excessive CPU and memory while being fully processed and logged, creating a denial-of-service vulnerability. The parser no longer rejects oversized inputs upfront and instead processes every invalid member completely, sending errors to the logging system by default.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-5wrp-cwcj-q835","publishedAt":"2026-05-28T17:04:19.000Z","cveId":"CVE-2026-41178","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["go.opentelemetry.io/otel/propagation@= 1.43.0 (fixed: 1.44.0)","go.opentelemetry.io/otel/baggage@= 1.43.0 (fixed: 1.44.0)","go.opentelemetry.io/otel/propagation@= 1.41.0 (fixed: 1.42.0)","go.opentelemetry.io/otel/baggage@= 1.41.0 (fixed: 1.42.0)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-28T17:04:19.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}