AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-w8rr-5gcm-pp58: opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

mediumvulnerability

security

Source: GitHub Advisory DatabaseApril 8, 2026CVE-2026-39882

Summary

OpenTelemetry Go's OTLP HTTP exporters (tools that send trace, metric, and log data over HTTP) read entire HTTP response bodies into memory without limiting their size, which allows an attacker controlling the collector endpoint to crash the application by sending extremely large responses. This vulnerability affects three exporter components: otlptrace, otlpmetric, and otlplog.

Solution / Mitigation

Fixed in PR #8108 (https://github.com/open-telemetry/opentelemetry-go/pull/8108).

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

April 8, 2026

Classification

Attack Type

DoS

Attack SophisticationModerate

Impact (CIA+S)

availability

AI Component TargetedInference

Affected Packages

go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp@< 0.19.0 (fixed: 0.19.0)go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@< 1.43.0 (fixed: 1.43.0)go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@< 1.43.0 (fixed: 1.43.0)

Related Issues

medium

CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem

Similar attackNVD/CVE Database

low

CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p

Similar attack

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-w8rr-5gcm-pp58

First tracked: April 8, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 85%