{"data":{"id":"c163addf-a2cb-49b7-ad80-b1ba503c3d16","title":"GHSA-w8rr-5gcm-pp58: opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies","summary":"OpenTelemetry Go's OTLP HTTP exporters (tools that send trace, metric, and log data over HTTP) read entire HTTP response bodies into memory without limiting their size, which allows an attacker controlling the collector endpoint to crash the application by sending extremely large responses. This vulnerability affects three exporter components: otlptrace, otlpmetric, and otlplog.","solution":"Fixed in PR #8108 (https://github.com/open-telemetry/opentelemetry-go/pull/8108).","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-w8rr-5gcm-pp58","publishedAt":"2026-04-08T19:22:01.000Z","cveId":"CVE-2026-39882","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp@< 0.19.0 (fixed: 0.19.0)","go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@< 1.43.0 (fixed: 1.43.0)","go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@< 1.43.0 (fixed: 1.43.0)"],"affectedVendors":[],"affectedVendorsRaw":[],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-08T19:22:01.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}