Primary

Context

OpenTelemetry-Go Path Hijacking Vulnerability Leading to Arbitrary Code Execution on macOS

Vulnerability

Patched

A path hijacking vulnerability allowing arbitrary code execution has been identified in the OpenTelemetry Go SDK, specifically in versions 1.20.0 prior to 1.39.0. This issue arises on macOS systems, where the resource detection code executes the 'ioreg' command using a search path. An attacker who can locally modify the PATH environment variable could exploit this vulnerability to execute arbitrary code within the application's context.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution within the context of the application.

Remediation

Users can upgrade to OpenTelemetry Go SDK version 1.40.0 or later to address this vulnerability.

Added: Feb 2, 2026, 11:28 PM

Updated: Feb 2, 2026, 11:28 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

7.5

exploitability

3.5

remediation

7.7

relevance

2.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

7.5

exploitability

3.5

remediation

7.7

relevance

2.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenTelemetry-Go Path Hijacking Vulnerability Leading to Arbitrary Code Execution on macOS

Vulnerability

Impact

Remediation

Affected Products

OpenTelemetry-Go

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating