GHSA-9h8m-3fm2-qjrq (CVE-2026-24051)

Details

Impact

The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.

Patches

This has been patched in d45961b, which was released with v1.40.0.

References

CWE-426: Untrusted Search Path

Affected Packages

go.opentelemetry.io/otel/sdk/resource

Go

Fixed in:

1.40.0

References

ADVISORYhttps://github.com/advisories/GHSA-9h8m-3fm2-qjrq PACKAGEhttps://github.com/open-telemetry/opentelemetry-go WEBhttps://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53 WEBhttps://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-24051

GHSA-9h8m-3fm2-qjrq

Details

Impact

Patches

References

Affected Packages

References

Aliases

CVSS Analysis

Related

Ecosystems

Timeline