Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.

INFO

Published Date :

2026-02-02T19:49:10.038Z

Last Modified :

2026-02-03T14:54:41.668Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-24051 vulnerability.

Vendors Products
Linuxfoundation
  • Opentelemetry-go
Opentelemetry
  • Opentelemetry
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24051.

URL Resource
https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53 cve-icon cve-icon
https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact