The OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured.
The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path.
On multi-user systems where the temporary directory is accessible to other local accounts, this exposed three attack surfaces:
*.blob files into the predictable path; the exporter picks them up on the next retry cycle and forwards them to the configured OTLP endpoint under the application's identity.*.blob files written by the application between export failures, recovering encoded telemetry payloads (spans, metric data points, log records).OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY is set to disk.OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH is not set, causing the exporter to resolve the blob storage root using the System.IO.Path.GetTempPath() API./tmp on Linux, or %TEMP% on a multi-user Windows installation).OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk and no explicit blob directory. The exporter resolves the storage root to Path.GetTempPath(), producing paths such as %TEMP%\traces, %TEMP%\metrics, and %TEMP%\logs (or /tmp/traces etc. on Linux).1.15.3Exploitability
AV:LAC:HPR:LUI:NScope
S:UImpact
C:HI:HA:L6.5/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L