DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-29181: CVE-2026-29181: Remote Denial of Service via Baggage Header Amplification in OpenTelemetry-Go

#security #cve #cybersecurity

CVE-2026-29181: Remote Denial of Service via Baggage Header Amplification in OpenTelemetry-Go

Vulnerability ID: CVE-2026-29181
CVSS Score: 7.5
Published: 2026-04-07

OpenTelemetry-Go versions 1.36.0 through 1.40.0 are vulnerable to a resource exhaustion flaw in the W3C Baggage propagation mechanism. Unauthenticated remote attackers can trigger excessive memory and CPU consumption by sending requests with fragmented HTTP baggage headers, resulting in a Denial of Service condition.

TL;DR

A flaw in OpenTelemetry-Go's baggage propagator allows attackers to bypass per-header length limits by sending multiple fragmented headers, causing linear memory allocation growth and eventual application Denial of Service.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Resource Exhaustion / DoS
  • CWE ID: CWE-770
  • CVSS Score: 7.5 (High)
  • Attack Vector: Network
  • Privileges Required: None
  • Exploit Maturity: Proof of Concept

Affected Systems

  • OpenTelemetry-Go
  • go.opentelemetry.io/otel/baggage
  • go.opentelemetry.io/otel/propagation
  • OpenTelemetry-Go: >= 1.36.0, <= 1.40.0 (Fixed in: 1.41.0)

Code Analysis

Commit: aa1894e

Fix baggage parsing logic to implement global budgets and lower max members to 64.

Mitigation Strategies

  • Upgrade OpenTelemetry-Go dependencies to version 1.41.0 or later.
  • Implement edge-level WAF rules to restrict the maximum number of baggage headers per request.
  • Enforce maximum total HTTP header size limits at the reverse proxy or ingress layer.
  • Configure strict container memory limits and restart policies to recover from OOM states quickly.

Remediation Steps:

  1. Identify all microservices utilizing go.opentelemetry.io/otel/baggage or go.opentelemetry.io/otel/propagation.
  2. Update the go.mod file to require version v1.41.0 of these packages.
  3. Run go mod tidy to update transitive dependencies.
  4. Recompile and deploy the updated services.
  5. Monitor application memory usage and garbage collection metrics to ensure the fix is active.

References

Read the full report for CVE-2026-29181 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)