CVE-2026-42191

Source
https://cve.org/CVERecord?id=CVE-2026-42191
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42191.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42191
Aliases
Downstream
Related
Published
2026-05-12T19:12:03.221Z
Modified
2026-07-08T08:13:13.686408475Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry default temp path enables local blob injection for OTLP Exporter
Details

OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTELDOTNETEXPERIMENTALOTLPRETRY=disk was set but OTELDOTNETEXPERIMENTALOTLPDISKRETRYDIRECTORY_PATH was not configured. The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path. On multi-user systems where the temporary directory is accessible to other local accounts, this allows an attacker to write crafted *.blob files, read *.blob files written by the application between export failures, or deposit numerous or oversized blob files, degrading retry-loop performance or consuming disk space. This vulnerability is fixed in 1.15.3.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42191.json",
    "cwe_ids": [
        "CWE-379"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/open-telemetry/opentelemetry-dotnet

Affected ranges

Type
GIT
Repo
https://github.com/open-telemetry/opentelemetry-dotnet
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:*:*:*:*:*:.net:*:*",
    "extracted_events": [
        {
            "introduced": "1.8.0"
        },
        {
            "fixed": "1.15.3"
        }
    ]
}

Affected versions

Instrumentation.*
Instrumentation.AspNetCore-1.8.0
Instrumentation.AspNetCore-1.8.1
Instrumentation.GrpcNetClient-1.8.0-beta.1
Instrumentation.Http-1.8.0
Instrumentation.Http-1.8.1
Instrumentation.SqlClient-1.8.0-beta.1
core-1.*
core-1.10.0
core-1.10.0-beta.1
core-1.10.0-rc.1
core-1.11.0
core-1.11.0-rc.1
core-1.11.1
core-1.11.2
core-1.12.0
core-1.13.0
core-1.13.1
core-1.14.0
core-1.14.0-rc.1
core-1.15.0
core-1.15.1
core-1.15.2
core-1.8.0
core-1.9.0
core-1.9.0-alpha.1
core-1.9.0-rc.1
coreunstable-1.*
coreunstable-1.10.0-beta.1
coreunstable-1.11.0-beta.1
coreunstable-1.11.2-beta.1
coreunstable-1.12.0-beta.1
coreunstable-1.13.0-beta.1
coreunstable-1.13.1-beta.1
coreunstable-1.14.0-beta.1
coreunstable-1.15.0-beta.1
coreunstable-1.15.1-beta.1
coreunstable-1.15.2-beta.1
coreunstable-1.9.0-alpha.1
coreunstable-1.9.0-alpha.2
coreunstable-1.9.0-beta.1
coreunstable-1.9.0-beta.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42191.json"