CVE-2026-42191: OpenTelemetry OTLP Exporter Disclosure Flaw

CVE-2026-42191 Overview

CVE-2026-42191 affects the OpenTelemetry.Exporter.OpenTelemetryProtocol package, the OTLP (OpenTelemetry Protocol) exporter implementation for .NET. The vulnerability impacts versions 1.8.0 through 1.15.2 and is fixed in 1.15.3. The OTLP disk retry feature silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set without configuring OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH. The exporter then stored *.blob files under predictable signal-named subdirectories in the shared temporary root. The flaw is categorized as [CWE-379] Creation of Temporary File in Directory with Insecure Permissions.

Critical Impact

Local attackers on multi-user systems can read, modify, or plant telemetry blob files, leaking trace and metric data or causing disk exhaustion and retry-loop degradation.

Affected Products

• OpenTelemetry.Exporter.OpenTelemetryProtocol versions 1.8.0 through 1.15.2
• .NET applications using OTLP disk retry without an explicit retry directory path
• Multi-user host environments running affected exporter versions

Discovery Timeline

• 2026-05-12 - CVE-2026-42191 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42191

Vulnerability Analysis

The OTLP exporter persists pending telemetry to disk when network export fails and the disk retry mode is enabled. When operators enabled retries by setting OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk but did not specify OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH, the exporter fell back to Path.GetTempPath(). On Linux this typically resolves to /tmp, and on Windows it can resolve to a shared temporary location depending on the service account. The exporter then created fixed subdirectories named traces, metrics, and logs and wrote *.blob files containing serialized OTLP payloads.

Root Cause

The root cause is insecure temporary directory selection without permission validation. The fallback path is world-readable and world-writable on typical multi-user systems. The exporter did not enforce restrictive ACLs on the signal subdirectories, nor did it verify ownership before reading queued *.blob files during retry. The CWE-379 classification reflects creation of files in a location where other local accounts have access.

Attack Vector

An attacker requires a local unprivileged account on the same host as the affected application. The attacker can enumerate the predictable traces, metrics, and logs subdirectories under the temporary path and read queued OTLP payloads, which may contain sensitive request data, headers, or business attributes captured by instrumentation. The attacker can also write crafted *.blob files that the application will deserialize and forward during the next retry cycle, injecting forged telemetry into downstream backends. Finally, the attacker can deposit large or numerous blob files to consume disk space and degrade retry-loop performance, producing a local denial of service.

The vulnerability mechanism is described in the OpenTelemetry Security Advisory GHSA-4625-4j76-fww9 and the upstream fix in pull request #7106.

Detection Methods for CVE-2026-42191

Indicators of Compromise

• Presence of traces, metrics, or logs subdirectories under the system temporary path containing *.blob files not owned by the application service account
• Unexpected *.blob files written by local user accounts other than the OpenTelemetry-instrumented application identity
• Sudden growth in temporary directory size or inode count correlated with OTLP export failures

Detection Strategies

• Audit running .NET processes for the environment variable OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk without a corresponding OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH value
• Inventory installed NuGet packages for OpenTelemetry.Exporter.OpenTelemetryProtocol versions between 1.8.0 and 1.15.2
• Monitor file creation events under /tmp/traces, /tmp/metrics, /tmp/logs, and equivalent Windows temporary paths

Monitoring Recommendations

• Enable file integrity monitoring on the temporary directory tree used by OTLP retries and alert on writes from non-application UIDs
• Track OTLP exporter retry counters and disk queue depth metrics for anomalous growth patterns
• Correlate telemetry ingestion anomalies at the OTLP collector with on-host blob file activity to identify potential injection

How to Mitigate CVE-2026-42191

Immediate Actions Required

• Upgrade OpenTelemetry.Exporter.OpenTelemetryProtocol to version 1.15.3 or later across all affected .NET applications
• Explicitly set OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH to a directory owned by and restricted to the application service account
• Inspect existing traces, metrics, and logs directories under temporary paths for unauthorized *.blob files and remove them after forensic capture

Patch Information

The maintainers fixed the vulnerability in OpenTelemetry.Exporter.OpenTelemetryProtocol version 1.15.3. Details are documented in GitHub Pull Request #7106 and the GitHub Security Advisory GHSA-4625-4j76-fww9.

Workarounds

• Disable the disk retry feature by unsetting OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY until the package can be upgraded
• Configure OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH to a dedicated directory with 0700 permissions owned by the application user
• On multi-user hosts, restrict access to the system temporary directory or run the instrumented application under an isolated service account with a private temporary path

# Configuration example: dedicated, permission-restricted retry directory
sudo mkdir -p /var/lib/myapp/otel-retry
sudo chown myappsvc:myappsvc /var/lib/myapp/otel-retry
sudo chmod 700 /var/lib/myapp/otel-retry

export OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk
export OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH=/var/lib/myapp/otel-retry