CVE-2026-55701: opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication

June 18, 2026

The githubreceiver webhook handler does not enforce the required_headers configuration. Headers are validated at startup (config rejects empty keys/values) but never checked on incoming requests. This follows the same pattern as GHSA-prf6-xjxh-p698 (awsfirehosereceiver auth bypass). Verified against current main.

References

github.com/advisories/GHSA-w5cv-pw74-4rxc
github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-w5cv-pw74-4rxc
nvd.nist.gov/vuln/detail/CVE-2026-55701

Code Behaviors & Features

Detect and mitigate CVE-2026-55701 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →