CVE-2026-45292: OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation
The practical availability impact for most deployments is limited. Every major Java HTTP server enforces its own header size limit (Tomcat, Jetty, Netty, Vert.x, and gRPC-Java all default to 8 KiB), constraining what an external attacker can deliver before the application is reached. The risk is higher when transport-layer limits are absent — e.g., a compromised internal service communicating over a non-HTTP or custom transport.
References
- github.com/advisories/GHSA-rcgg-9c38-7xpx
- github.com/open-telemetry/opentelemetry-java/commit/03837d3c1763bc35464aea1078671e2ef2336a5f
- github.com/open-telemetry/opentelemetry-java/pull/8380
- github.com/open-telemetry/opentelemetry-java/releases/tag/v1.62.0
- github.com/open-telemetry/opentelemetry-java/security/advisories/GHSA-rcgg-9c38-7xpx
- nvd.nist.gov/vuln/detail/CVE-2026-45292
Code Behaviors & Features
Detect and mitigate CVE-2026-45292 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →