CVE-2026-29181 Overview
OpenTelemetry-Go, the Go implementation of the OpenTelemetry observability framework, contains a resource exhaustion vulnerability in versions 1.36.0 through 1.40.0. The vulnerability exists in the multi-value baggage header extraction mechanism, which parses each header field-value independently and aggregates members across values. This design flaw allows attackers to amplify CPU and memory allocations by sending numerous baggage: header lines, bypassing the 8192-byte per-value parse limit through header multiplication.
Critical Impact
Attackers can cause denial of service through CPU and memory exhaustion by exploiting the baggage header parsing aggregation behavior, even when each individual header value stays within allowed limits.
Affected Products
- OpenTelemetry-Go versions 1.36.0 through 1.40.0
- Applications using OpenTelemetry-Go baggage header parsing functionality
- Services implementing OpenTelemetry distributed tracing with baggage context propagation
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-29181 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-29181
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The OpenTelemetry-Go library's baggage header parsing implementation processes each baggage: header field-value independently before aggregating all members across multiple header values. While the library enforces an 8192-byte limit on individual header values, it fails to limit the total number of header lines or the aggregate size of all baggage data.
An attacker can exploit this by sending HTTP requests containing many separate baggage: header lines, each within the per-value limit but collectively causing significant resource consumption. The parsing and aggregation process multiplies the resource impact, leading to CPU exhaustion from parsing operations and memory exhaustion from storing aggregated baggage members.
Root Cause
The root cause lies in the absence of aggregate resource limits in the baggage header extraction logic. The implementation correctly validates individual header values against the 8192-byte threshold but lacks controls for:
- Maximum number of baggage: headers per request
- Total aggregate size of all baggage data
- Rate limiting on baggage parsing operations
This architectural oversight allows the per-header validation to be circumvented through header multiplication, effectively creating an amplification vector where small individual inputs combine to produce disproportionate resource consumption.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker sends specially crafted HTTP requests to any service utilizing the vulnerable OpenTelemetry-Go versions for baggage header parsing. By including numerous baggage: header lines (each under 8192 bytes), the attacker forces the target application to parse and aggregate all values, consuming excessive CPU cycles and memory allocations.
The vulnerability manifests in the baggage header extraction functionality where multiple header values are processed sequentially and their members are combined. Technical details and the specific code path affected can be found in the GitHub Security Advisory.
Detection Methods for CVE-2026-29181
Indicators of Compromise
- Anomalous increase in HTTP requests containing multiple baggage: headers
- Memory consumption spikes in services using OpenTelemetry-Go for context propagation
- CPU utilization anomalies correlated with request processing
- Application slowdowns or timeouts in OpenTelemetry-instrumented services
Detection Strategies
- Monitor for HTTP requests with unusually high numbers of baggage: header lines
- Implement request rate limiting and header count thresholds at the load balancer or WAF level
- Track memory allocation patterns in OpenTelemetry-instrumented applications
- Set up alerting for sudden increases in request processing latency
Monitoring Recommendations
- Deploy application performance monitoring to track resource consumption during request processing
- Configure logging to capture requests with excessive header counts for forensic analysis
- Establish baseline metrics for normal baggage header usage patterns to detect anomalies
- Integrate dependency scanning to identify applications running vulnerable OpenTelemetry-Go versions
How to Mitigate CVE-2026-29181
Immediate Actions Required
- Upgrade OpenTelemetry-Go to version 1.41.0 or later immediately
- Audit all applications using OpenTelemetry-Go versions 1.36.0 through 1.40.0
- Implement temporary rate limiting on incoming requests at the network edge
- Configure web application firewalls to limit the number of baggage: headers per request
Patch Information
The vulnerability is fixed in OpenTelemetry-Go version 1.41.0. Organizations should update their Go module dependencies to reference the patched version. The fix implements proper aggregate resource limits for baggage header parsing, preventing the amplification attack vector.
For detailed patch information and upgrade guidance, refer to the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy or WAF rule to limit the number of baggage: headers accepted per request
- Implement request filtering at the application gateway to reject requests with excessive headers
- Consider temporarily disabling baggage context propagation if not critical to operations
- Apply network-level rate limiting to reduce the impact of potential exploitation attempts
# Example: Update Go module to patched version
go get go.opentelemetry.io/otel@v1.41.0
go mod tidy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
