CVE-2026-23886: Swift W3C TraceContext vulnerable to a malformed HTTP header causing a crash
A denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header.
Allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel.
References
- github.com/advisories/GHSA-mvpq-2v8x-ww6g
- github.com/swift-otel/swift-otel/releases/tag/1.0.4
- github.com/swift-otel/swift-w3c-trace-context
- github.com/swift-otel/swift-w3c-trace-context/commit/5da9b143ba6046734de3fa51dafea28290174e4e
- github.com/swift-otel/swift-w3c-trace-context/releases/tag/1.0.0-beta.5
- github.com/swift-otel/swift-w3c-trace-context/security/advisories/GHSA-mvpq-2v8x-ww6g
- nvd.nist.gov/vuln/detail/CVE-2026-23886
Detect and mitigate CVE-2026-23886 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →