CVE-2026-39883

OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.

INFO

Published Date :

2026-04-08T20:26:41.731Z

Last Modified :

2026-04-08T20:26:41.731Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-39883 vulnerability.

Vendors	Products
Opentelemetry	Opentelemetry-go

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39883.

URL	Resource
http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0
https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability