Description

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.

INFO

Published Date :

2026-04-23T17:51:34.961Z

Last Modified :

2026-04-23T18:38:57.155Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40182 vulnerability.

Vendors Products
Opentelemetry
  • Opentelemetry
  • Opentelemetry-dotnet
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40182.

URL Resource
https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564 cve-icon cve-icon
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017 cve-icon cve-icon
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933 cve-icon cve-icon
https://github.com/open-telemetry/opentelemetry-proto/pull/781 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact