CVE-2026-45292: OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation
(updated )
The practical availability impact for most deployments is limited. Every major Java HTTP server enforces its own header size limit (Tomcat, Jetty, Netty, Vert.x, and gRPC-Java all default to 8 KiB), constraining what an external attacker can deliver before the application is reached. The risk is higher when transport-layer limits are absent — e.g., a compromised internal service communicating over a non-HTTP or custom transport.
References
- github.com/advisories/GHSA-rcgg-9c38-7xpx
- github.com/open-telemetry/opentelemetry-java/commit/03837d3c1763bc35464aea1078671e2ef2336a5f
- github.com/open-telemetry/opentelemetry-java/pull/8380
- github.com/open-telemetry/opentelemetry-java/releases/tag/v1.62.0
- github.com/open-telemetry/opentelemetry-java/security/advisories/GHSA-rcgg-9c38-7xpx
- nvd.nist.gov/vuln/detail/CVE-2026-45292
Code Behaviors & Features
Detect and mitigate CVE-2026-45292 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →