GHSA-4jvg-4jfx-fmhc: opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token
Summary
The Sentry exporter in opentelemetry-collector-contrib has a path traversal vulnerability (a type of attack where an attacker manipulates file paths to access unintended locations) because it builds Sentry API URLs by directly inserting the service.name attribute, which remote attackers can control, without checking if it's valid. Since the operator's bearer token (a credential that proves the operator's identity) is automatically added to every request, an attacker can craft a malicious service.name to reach privileged Sentry admin and organization endpoints that they shouldn't have access to.
Vulnerability Details
EPSS: 0.0%
Yes
June 18, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-4jvg-4jfx-fmhc
First tracked: June 18, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%