CVE-2026-39883: PATH Hijacking via Insecure kenv Execution in OpenTelemetry Go SDK
Vulnerability ID: CVE-2026-39883
CVSS Score: 7.3
Published: 2026-04-08
The OpenTelemetry Go SDK contains an Untrusted Search Path vulnerability (CWE-426) affecting BSD and Solaris systems. The SDK fails to use an absolute path when executing the system kenv utility during host identification. This oversight allows a local attacker to achieve arbitrary code execution by manipulating the PATH environment variable.
TL;DR
OpenTelemetry Go SDK versions prior to 1.43.0 are vulnerable to PATH hijacking on BSD/Solaris systems due to an unanchored kenv command execution. Upgrading to version 1.43.0 or explicitly defining a secure PATH environment mitigates the vulnerability.
Technical Details
- CWE ID: CWE-426
- Attack Vector: Local
- CVSS 4.0: 7.3
- Exploit Status: None
- KEV Status: Not Listed
- Affected Component: go.opentelemetry.io/otel/sdk/resource
Affected Systems
- DragonFly BSD
- FreeBSD
- NetBSD
- OpenBSD
- Solaris
-
opentelemetry-go: >= 1.15.0, < 1.43.0 (Fixed in:
1.43.0)
Mitigation Strategies
- Upgrade OpenTelemetry Go SDK to version 1.43.0 or later.
- Ensure application PATH environment variables do not contain world-writable or untrusted directories.
- Manually populate /etc/hostid on FreeBSD systems to prevent fallback command execution.
Remediation Steps:
- Update the go.mod file to require go.opentelemetry.io/otel/sdk v1.43.0.
- Run
go mod tidyto update the module dependencies. - Recompile the Go application.
- Deploy the updated application binary to affected BSD/Solaris environments.
References
- GitHub Security Advisory: GHSA-hfvc-g4fc-pqhx
- OpenTelemetry Release Notes: v1.43.0 Tag
- OSV Database Entry: GHSA-hfvc-g4fc-pqhx
Read the full report for CVE-2026-39883 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)