{"id":"CVE-2026-29181","summary":"OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)","details":"OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.","aliases":["GHSA-mh2q-q3fh-2475"],"modified":"2026-04-09T11:45:16.479810Z","published":"2026-04-07T20:29:13.933Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-770"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29181.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29181.json"},{"type":"ADVISORY","url":"https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29181"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/open-telemetry/opentelemetry-go","events":[{"introduced":"a85ae98dcedc0761078518a715dea53e519b4846"},{"fixed":"4575a9774dd9415ffc858dd34955493b0031065a"}],"database_specific":{"versions":[{"introduced":"1.36.0"},{"fixed":"1.41.0"}]}}],"versions":["bridge/opencensus/test/v1.36.0","bridge/opencensus/test/v1.37.0","bridge/opencensus/test/v1.38.0","bridge/opencensus/test/v1.39.0","bridge/opencensus/test/v1.40.0","bridge/opencensus/v1.36.0","bridge/opencensus/v1.37.0","bridge/opencensus/v1.38.0","bridge/opencensus/v1.39.0","bridge/opencensus/v1.40.0","bridge/opentracing/test/v1.36.0","bridge/opentracing/v1.36.0","bridge/opentracing/v1.37.0","bridge/opentracing/v1.38.0","bridge/opentracing/v1.39.0","bridge/opentracing/v1.40.0","exporters/otlp/otlplog/otlploggrpc/v0.12.0","exporters/otlp/otlplog/otlploggrpc/v0.12.1","exporters/otlp/otlplog/otlploggrpc/v0.12.2","exporters/otlp/otlplog/otlploggrpc/v0.13.0","exporters/otlp/otlplog/otlploggrpc/v0.14.0","exporters/otlp/otlplog/otlploggrpc/v0.15.0","exporters/otlp/otlplog/otlploggrpc/v0.16.0","exporters/otlp/otlplog/otlploghttp/v0.12.0","exporters/otlp/otlplog/otlploghttp/v0.12.1","exporters/otlp/otlplog/otlploghttp/v0.12.2","exporters/otlp/otlplog/otlploghttp/v0.13.0","exporters/otlp/otlplog/otlploghttp/v0.14.0","exporters/otlp/otlplog/otlploghttp/v0.15.0","exporters/otlp/otlplog/otlploghttp/v0.16.0","exporters/otlp/otlpmetric/otlpmetricgrpc/v1.36.0","exporters/otlp/otlpmetric/otlpmetricgrpc/v1.37.0","exporters/otlp/otlpmetric/otlpmetricgrpc/v1.38.0","exporters/otlp/otlpmetric/otlpmetricgrpc/v1.39.0","exporters/otlp/otlpmetric/otlpmetricgrpc/v1.40.0","exporters/otlp/otlpmetric/otlpmetrichttp/v1.36.0","exporters/otlp/otlpmetric/otlpmetrichttp/v1.37.0","exporters/otlp/otlpmetric/otlpmetrichttp/v1.38.0","exporters/otlp/otlpmetric/otlpmetrichttp/v1.39.0","exporters/otlp/otlpmetric/otlpmetrichttp/v1.40.0","exporters/otlp/otlptrace/otlptracegrpc/v1.36.0","exporters/otlp/otlptrace/otlptracegrpc/v1.37.0","exporters/otlp/otlptrace/otlptracegrpc/v1.38.0","exporters/otlp/otlptrace/otlptracegrpc/v1.39.0","exporters/otlp/otlptrace/otlptracegrpc/v1.40.0","exporters/otlp/otlptrace/otlptracehttp/v1.36.0","exporters/otlp/otlptrace/otlptracehttp/v1.37.0","exporters/otlp/otlptrace/otlptracehttp/v1.38.0","exporters/otlp/otlptrace/otlptracehttp/v1.39.0","exporters/otlp/otlptrace/otlptracehttp/v1.40.0","exporters/otlp/otlptrace/v1.36.0","exporters/otlp/otlptrace/v1.37.0","exporters/otlp/otlptrace/v1.38.0","exporters/otlp/otlptrace/v1.39.0","exporters/otlp/otlptrace/v1.40.0","exporters/prometheus/v0.58.0","exporters/prometheus/v0.59.0","exporters/prometheus/v0.59.1","exporters/prometheus/v0.60.0","exporters/prometheus/v0.61.0","exporters/prometheus/v0.62.0","exporters/stdout/stdoutlog/v0.12.0","exporters/stdout/stdoutlog/v0.12.1","exporters/stdout/stdoutlog/v0.12.2","exporters/stdout/stdoutlog/v0.13.0","exporters/stdout/stdoutlog/v0.14.0","exporters/stdout/stdoutlog/v0.15.0","exporters/stdout/stdoutlog/v0.16.0","exporters/stdout/stdoutmetric/v1.36.0","exporters/stdout/stdoutmetric/v1.37.0","exporters/stdout/stdoutmetric/v1.38.0","exporters/stdout/stdoutmetric/v1.39.0","exporters/stdout/stdoutmetric/v1.40.0","exporters/stdout/stdouttrace/v1.36.0","exporters/stdout/stdouttrace/v1.37.0","exporters/stdout/stdouttrace/v1.38.0","exporters/stdout/stdouttrace/v1.39.0","exporters/stdout/stdouttrace/v1.40.0","exporters/zipkin/v1.36.0","exporters/zipkin/v1.37.0","exporters/zipkin/v1.38.0","exporters/zipkin/v1.39.0","exporters/zipkin/v1.40.0","log/logtest/v0.13.0","log/logtest/v0.14.0","log/logtest/v0.15.0","log/logtest/v0.16.0","log/v0.12.0","log/v0.12.1","log/v0.12.2","log/v0.13.0","log/v0.14.0","log/v0.15.0","log/v0.16.0","metric/v1.36.0","metric/v1.37.0","metric/v1.38.0","metric/v1.39.0","metric/v1.40.0","schema/v0.0.13","schema/v0.0.14","sdk/log/logtest/v0.13.0","sdk/log/logtest/v0.14.0","sdk/log/logtest/v0.15.0","sdk/log/logtest/v0.16.0","sdk/log/v0.12.0","sdk/log/v0.12.1","sdk/log/v0.12.2","sdk/log/v0.13.0","sdk/log/v0.14.0","sdk/log/v0.15.0","sdk/log/v0.16.0","sdk/metric/v1.36.0","sdk/metric/v1.37.0","sdk/metric/v1.38.0","sdk/metric/v1.39.0","sdk/metric/v1.40.0","sdk/v1.36.0","sdk/v1.37.0","sdk/v1.38.0","sdk/v1.39.0","sdk/v1.40.0","trace/v1.36.0","trace/v1.37.0","trace/v1.38.0","trace/v1.39.0","trace/v1.40.0","v1.36.0","v1.37.0","v1.38.0","v1.39.0","v1.40.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-29181.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}