cvedb.io
CVE-2026-40182
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2026-04-23T18:16:28.130 · Last modified 2026-06-17T10:44:49.967

Summary

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.

Affected products

opentelemetry — opentelemetry

Does this affect you?

Add your gear to cvedb and we'll alert you only when opentelemetry ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.