AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-5wrp-cwcj-q835: opentelemetry-go's baggage parsing no longer caps raw header length

mediumvulnerability

security

Source: GitHub Advisory DatabaseMay 28, 2026CVE-2026-41178

Summary

A removed safety check in OpenTelemetry Go's baggage parsing (the mechanism for passing contextual data between services) allows attackers to send extremely large or malformed baggage headers that consume excessive CPU and memory while being fully processed and logged, creating a denial-of-service vulnerability. The parser no longer rejects oversized inputs upfront and instead processes every invalid member completely, sending errors to the logging system by default.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 28, 2026

Classification

Attack Type

DoS

Attack SophisticationModerate

Impact (CIA+S)

availability

Affected Vendors

Affected Packages

go.opentelemetry.io/otel/propagation@= 1.43.0 (fixed: 1.44.0)go.opentelemetry.io/otel/baggage@= 1.43.0 (fixed: 1.44.0)go.opentelemetry.io/otel/propagation@= 1.41.0 (fixed: 1.42.0)go.opentelemetry.io/otel/baggage@= 1.41.0 (fixed: 1.42.0)

Related Issues

medium

CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem

Similar attackNVD/CVE Database

low

CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p

Similar attack

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-5wrp-cwcj-q835

First tracked: May 28, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 75%