CVE-2026-23886

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23886
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23886.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23886
Aliases
Published
2026-01-19T21:01:52.694Z
Modified
2026-01-28T05:52:45.233716Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Swift W3C TraceContext has malformed HTTP header that can cause a crash
Details

Swift W3C TraceContext is a Swift implementation of the W3C Trace Context standard, and Swift OTel is an OpenTelemetry Protocol (OTLP) backend for Swift Log, Swift Metrics, and Swift Distributed Tracing. Prior to Swift W3C TraceContext version 1.0.0-beta.5 and Swift OTel version 1.0.4, a denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header. This allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel. Version 1.0.0-beta.5 of Swift W3C TraceContext and version 1.0.4 of Swift OTel contain a patch for this issue. As a workaround, disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a TracingMiddleware).

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23886.json",
    "cwe_ids": [
        "CWE-20"
    ]
}
References

Affected packages

Git / github.com/swift-otel/swift-otel

Affected ranges

Type
GIT
Repo
https://github.com/swift-otel/swift-otel
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b5f4d8b3ec75c63bf85526b6ff3789b6de0d54a1

Affected versions

0.*
0.1.0
0.1.1
0.10.0
0.10.1
0.11.0
0.12.0
0.2.0
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.8.0
0.9.0
1.*
1.0.0
1.0.0-alpha.1
1.0.0-alpha.2
1.0.0-beta.1
1.0.0-rc.1
1.0.1
1.0.2
1.0.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23886.json"

Git / github.com/swift-otel/swift-w3c-trace-context

Affected ranges

Type
GIT
Repo
https://github.com/swift-otel/swift-w3c-trace-context
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5da9b143ba6046734de3fa51dafea28290174e4e

Affected versions

0.*
0.1.0
0.2.0
0.3.0
0.4.0
0.5.0
0.6.0
1.*
1.0.0-beta.1
1.0.0-beta.2
1.0.0-beta.3
1.0.0-beta.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23886.json"