CVE-2026-39883: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

April 8, 2026 (updated April 9, 2026)

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

References

github.com/advisories/GHSA-hfvc-g4fc-pqhx
github.com/open-telemetry/opentelemetry-go
github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx
nvd.nist.gov/vuln/detail/CVE-2026-39883

Code Behaviors & Features

Detect and mitigate CVE-2026-39883 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →