GHSA-4625-4j76-fww9: OpenTelemetry's disk retry default temp path enables local blob injection via OTLP Exporter
Summary
OpenTelemetry's disk retry feature for OTLP (OpenTelemetry Protocol, a standard format for sending telemetry data) had a security flaw where it stored temporary blob files (serialized data chunks) in a shared system temp directory accessible to other user accounts on multi-user systems. This allowed attackers to inject fake telemetry data, read sensitive telemetry information, or cause performance problems by filling the directory with large files.
Solution / Mitigation
If an immediate upgrade to a patched version is not possible: 1. Avoid enabling disk retry in shared environments. 2. Configure a dedicated directory with strict ACL/ownership and least privilege (access control lists that restrict who can read or write). 3. Ensure the directory is not shared across tenants/users. 4. Monitor for unexpected `*.blob` files or abnormal retry backlog growth.
Vulnerability Details
EPSS: 0.0%
Yes
April 30, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-4625-4j76-fww9
First tracked: April 30, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%