CVE-2026-24051 Overview
CVE-2026-24051 is a Path Hijacking (Untrusted Search Paths) vulnerability in OpenTelemetry-Go, the Go implementation of OpenTelemetry. The vulnerability exists in the OpenTelemetry Go SDK versions v1.20.0 through v1.39.0 and affects macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using an untrusted search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.
Critical Impact
Local attackers can achieve arbitrary code execution by manipulating the PATH environment variable to hijack the ioreg system command execution on macOS/Darwin systems.
Affected Products
- OpenTelemetry-Go SDK v1.20.0 through v1.39.0
- macOS/Darwin systems running affected OpenTelemetry-Go versions
- Applications using the resource detection functionality in sdk/resource/host_id.go
Discovery Timeline
- 2026-02-02 - CVE CVE-2026-24051 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-24051
Vulnerability Analysis
This vulnerability is classified as CWE-426 (Untrusted Search Path). The issue stems from how the OpenTelemetry Go SDK performs resource detection on macOS/Darwin systems. When the SDK needs to identify the host system, it executes the ioreg system utility to gather hardware information. However, the implementation does not use an absolute path to the binary, instead relying on the PATH environment variable to locate the executable.
This design flaw creates an exploitable condition where a local attacker who can modify the PATH environment variable can place a malicious executable named ioreg in a directory that appears earlier in the search path than the legitimate system binary location. When the vulnerable code executes, it will invoke the attacker-controlled binary instead of the legitimate system utility.
The attack requires local access and the ability to modify environment variables, which limits the attack surface but still presents a significant risk in multi-user environments or scenarios where an attacker has limited initial access and seeks privilege escalation or lateral movement.
Root Cause
The root cause is the use of an unqualified command name when executing the ioreg system utility in the sdk/resource/host_id.go file. Instead of specifying the absolute path to the system binary (typically /usr/sbin/ioreg), the code relies on PATH resolution. This violates the security principle of using explicit paths for system command execution, allowing path hijacking attacks.
Attack Vector
The attack vector is local, requiring an attacker to have existing access to the target system with the ability to modify the PATH environment variable for the process running the vulnerable OpenTelemetry-Go application. The attacker creates a malicious executable named ioreg and places it in a directory that is searched before the legitimate binary location. When the application invokes the resource detection functionality, the malicious binary executes with the same privileges as the application, enabling arbitrary code execution.
For detailed technical information about the vulnerability and the fix, refer to the GitHub Security Advisory GHSA-9h8m-3fm2-qjrq and the fix commit.
Detection Methods for CVE-2026-24051
Indicators of Compromise
- Presence of suspicious executables named ioreg in non-standard directories
- Unusual PATH environment variable modifications in application processes
- Unexpected process executions originating from OpenTelemetry-instrumented Go applications
- Anomalous child processes spawned by applications using OpenTelemetry-Go SDK
Detection Strategies
- Monitor for the creation of files named ioreg in directories other than /usr/sbin/
- Implement file integrity monitoring on system binary directories
- Analyze process execution chains for OpenTelemetry-instrumented applications
- Review environment variable configurations for applications using the affected SDK versions
Monitoring Recommendations
- Enable detailed process execution logging on macOS/Darwin systems running affected applications
- Configure alerts for unexpected PATH modifications in application environments
- Monitor for unusual command execution patterns from Go applications using OpenTelemetry
- Implement SentinelOne's behavioral AI to detect anomalous execution patterns indicative of path hijacking
How to Mitigate CVE-2026-24051
Immediate Actions Required
- Upgrade OpenTelemetry-Go SDK to version v1.40.0 or later immediately
- Audit all macOS/Darwin systems running applications with affected SDK versions
- Review PATH environment variable configurations for critical applications
- Restrict write access to directories in the application's PATH
Patch Information
A fix was released with OpenTelemetry-Go SDK version v1.40.0. The patch modifies the code in sdk/resource/host_id.go to use an absolute path when executing the ioreg command, eliminating the path hijacking vulnerability. The fix commit is available at the OpenTelemetry-Go repository.
Workarounds
- If immediate patching is not possible, restrict the PATH environment variable to include only trusted system directories
- Implement strict file permissions on all directories in the application's PATH
- Run affected applications in isolated environments with controlled PATH configurations
- Consider temporarily disabling resource detection on macOS/Darwin systems until patching is complete
# Restrict PATH to trusted system directories for the application
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
# Verify no rogue ioreg binaries exist in PATH directories
which -a ioreg
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
