{"data":{"id":"a1ec24de-5af9-4c4e-a5f8-32419c5023c1","title":"GHSA-4625-4j76-fww9: OpenTelemetry's disk retry default temp path enables local blob injection via OTLP Exporter","summary":"OpenTelemetry's disk retry feature for OTLP (OpenTelemetry Protocol, a standard format for sending telemetry data) had a security flaw where it stored temporary blob files (serialized data chunks) in a shared system temp directory accessible to other user accounts on multi-user systems. This allowed attackers to inject fake telemetry data, read sensitive telemetry information, or cause performance problems by filling the directory with large files.","solution":"If an immediate upgrade to a patched version is not possible: 1. Avoid enabling disk retry in shared environments. 2. Configure a dedicated directory with strict ACL/ownership and least privilege (access control lists that restrict who can read or write). 3. Ensure the directory is not shared across tenants/users. 4. Monitor for unexpected `*.blob` files or abnormal retry backlog growth.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-4625-4j76-fww9","publishedAt":"2026-04-30T18:34:30.000Z","cveId":"CVE-2026-42191","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["OpenTelemetry.Exporter.OpenTelemetryProtocol@>= 1.8.0, <= 1.15.2 (fixed: 1.15.3)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-30T18:34:30.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":["AML.T0010"]}}