GHSA-w5cv-pw74-4rxc: opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication
Summary
The githubreceiver component in opentelemetry-collector-contrib has a security flaw where it validates the `required_headers` configuration at startup but never actually checks these headers on incoming webhook requests. This means an attacker can send fake data to the webhook endpoint by bypassing the authentication headers that operators thought were protecting it, especially when the `secret` field is left empty (which skips HMAC validation entirely).
Solution / Mitigation
Add RequiredHeaders enforcement to `handleReq()` in `receiver/githubreceiver/trace_receiver.go`, matching the pattern used in gitlabreceiver at `receiver/gitlabreceiver/traces_receiver.go:266-270`, which validates each required header by checking if the incoming request's header value matches the configured value.
Vulnerability Details
EPSS: 0.0%
Yes
June 18, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-w5cv-pw74-4rxc
First tracked: June 18, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%