GHSA-hfvc-g4fc-pqhx: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
Summary
OpenTelemetry's Go SDK has a PATH hijacking vulnerability (PATH hijacking is when an attacker puts a malicious program in a directory that the system searches for commands, so their fake program runs instead of the real one) on BSD and Solaris systems because the `kenv` command is called by its name alone instead of its full path. An attacker with local access can place a malicious `kenv` binary in the system's PATH, which will execute with the application's permissions when OpenTelemetry initializes.
Solution / Mitigation
Use the absolute path `/bin/kenv` instead of the bare command name. Change line 42 in `sdk/resource/host_id.go` from `r.execCommand("kenv", "-q", "smbios.system.uuid")` to `r.execCommand("/bin/kenv", "-q", "smbios.system.uuid")`.
Vulnerability Details
EPSS: 0.0%
Yes
April 8, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-hfvc-g4fc-pqhx
First tracked: April 8, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%