CVE-2026-39882: opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

April 8, 2026 (updated April 9, 2026)

overview: this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment. claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

exporters/otlp/otlptrace/otlptracehttp/client.go:199
exporters/otlp/otlptrace/otlptracehttp/client.go:230
exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
exporters/otlp/otlplog/otlploghttp/client.go:190
exporters/otlp/otlplog/otlploghttp/client.go:221

References

Code Behaviors & Features

Detect and mitigate CVE-2026-39882 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →