< Back

CVE-2026-29181

Updated on 07 Apr 2026

Severity

7.5 High severity

Details

CVSS score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE ID: CWE-770 Allocation of Resources Without Limits or Throttling
Affected product
Affected component
Links: NIST CIRCL RHEL Ubuntu

Overview

About vulnerability

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.

Details

Affected product:: GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric , GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping , Grafana , Loki , argocd , argoproj/gitops-engine , argoproj/notifications-engine , bufbuild/protoc-gen-validate , census-ecosystem/opencensus-go-exporter-ocagent/ocagent , census-instrumentation/opencensus-go , census-instrumentation/opencensus-proto , centrifugal/centrifuge , cncf/xds/go , cortexproject/cortex , denisenkom/go-mssqldb , envoyproxy/go-control-plane , etcd-io/etcd/api , etcd-io/etcd/client , fsouza/fake-gcs-server , go-kit/kit , go-openapi/runtime , golang-migrate/migrate , google/go-cloud , google/s2a-go , googleapis/gax-go , googleapis/go-genproto , googleapis/google-api-go-client , googleapis/google-cloud-go , googleapis/google-cloud-go-testing , googleapis/google-cloud-go/accessapproval , googleapis/google-cloud-go/accesscontextmanager , googleapis/google-cloud-go/aiplatform , googleapis/google-cloud-go/analytics , googleapis/google-cloud-go/apigateway , googleapis/google-cloud-go/apigeeconnect , googleapis/google-cloud-go/apigeeregistry , googleapis/google-cloud-go/appengine , googleapis/google-cloud-go/area120 , googleapis/google-cloud-go/artifactregistry , googleapis/google-cloud-go/asset , googleapis/google-cloud-go/assuredworkloads , googleapis/google-cloud-go/auth , googleapis/google-cloud-go/automl , googleapis/google-cloud-go/baremetalsolution , googleapis/google-cloud-go/batch , googleapis/google-cloud-go/beyondcorp , googleapis/google-cloud-go/bigquery , googleapis/google-cloud-go/bigtable , googleapis/google-cloud-go/billing , googleapis/google-cloud-go/binaryauthorization , googleapis/google-cloud-go/certificatemanager , googleapis/google-cloud-go/channel , googleapis/google-cloud-go/cloudbuild , googleapis/google-cloud-go/clouddms , googleapis/google-cloud-go/cloudtasks , googleapis/google-cloud-go/compute , googleapis/google-cloud-go/contactcenterinsights , googleapis/google-cloud-go/container , googleapis/google-cloud-go/containeranalysis , googleapis/google-cloud-go/datacatalog , googleapis/google-cloud-go/dataflow , googleapis/google-cloud-go/dataform , googleapis/google-cloud-go/datafusion , googleapis/google-cloud-go/datalabeling , googleapis/google-cloud-go/dataplex , googleapis/google-cloud-go/dataproc , googleapis/google-cloud-go/dataqna , googleapis/google-cloud-go/datastore , googleapis/google-cloud-go/datastream , googleapis/google-cloud-go/deploy , googleapis/google-cloud-go/dialogflow , googleapis/google-cloud-go/dlp , googleapis/google-cloud-go/documentai , googleapis/google-cloud-go/domains , googleapis/google-cloud-go/edgecontainer , googleapis/google-cloud-go/essentialcontacts , googleapis/google-cloud-go/eventarc , googleapis/google-cloud-go/filestore , googleapis/google-cloud-go/functions , googleapis/google-cloud-go/gkebackup , googleapis/google-cloud-go/gkeconnect , googleapis/google-cloud-go/gkehub , googleapis/google-cloud-go/gkemulticloud , googleapis/google-cloud-go/gsuiteaddons , googleapis/google-cloud-go/iam , googleapis/google-cloud-go/iap , googleapis/google-cloud-go/ids , googleapis/google-cloud-go/iot , googleapis/google-cloud-go/kms , googleapis/google-cloud-go/language , googleapis/google-cloud-go/lifesciences , googleapis/google-cloud-go/longrunning , googleapis/google-cloud-go/managedidentities , googleapis/google-cloud-go/maps , googleapis/google-cloud-go/mediatranslation , googleapis/google-cloud-go/memcache , googleapis/google-cloud-go/metastore , googleapis/google-cloud-go/monitoring , googleapis/google-cloud-go/networkconnectivity , googleapis/google-cloud-go/networkmanagement , googleapis/google-cloud-go/networksecurity , googleapis/google-cloud-go/notebooks , googleapis/google-cloud-go/optimization , googleapis/google-cloud-go/orchestration , googleapis/google-cloud-go/orgpolicy , googleapis/google-cloud-go/osconfig , googleapis/google-cloud-go/oslogin , googleapis/google-cloud-go/phishingprotection , googleapis/google-cloud-go/policytroubleshooter , googleapis/google-cloud-go/privatecatalog , googleapis/google-cloud-go/pubsub , googleapis/google-cloud-go/recaptchaenterprise , googleapis/google-cloud-go/recommendationengine , googleapis/google-cloud-go/recommender , googleapis/google-cloud-go/redis , googleapis/google-cloud-go/resourcemanager , googleapis/google-cloud-go/resourcesettings , googleapis/google-cloud-go/retail , googleapis/google-cloud-go/run , googleapis/google-cloud-go/scheduler , googleapis/google-cloud-go/security , googleapis/google-cloud-go/securitycenter , googleapis/google-cloud-go/servicedirectory , googleapis/google-cloud-go/shell , googleapis/google-cloud-go/spanner , googleapis/google-cloud-go/speech , googleapis/google-cloud-go/storage , googleapis/google-cloud-go/storagetransfer , googleapis/google-cloud-go/talent , googleapis/google-cloud-go/texttospeech , googleapis/google-cloud-go/tpu , googleapis/google-cloud-go/translate , googleapis/google-cloud-go/video , googleapis/google-cloud-go/videointelligence , googleapis/google-cloud-go/vision , googleapis/google-cloud-go/vmmigration , googleapis/google-cloud-go/vmwareengine , googleapis/google-cloud-go/vpcaccess , googleapis/google-cloud-go/webrisk , googleapis/google-cloud-go/websecurityscanner , googleapis/google-cloud-go/workflows , gopkg.in/telebot.v3 , grafana/alerting , grafana/authlib , grafana/dataplane/sdata , grafana/e2e , grafana/grafana-app-sdk , grafana/grafana-aws-sdk , grafana/grafana-azure-sdk-go , grafana/grafana-openapi-client-go , grafana/grafana-plugin-sdk-go , grafana/grafana/apps/alerting/notifications , grafana/grafana/apps/investigation , grafana/grafana/apps/playlist , grafana/grafana/pkg/aggregator , grafana/grafana/pkg/apimachinery , grafana/grafana/pkg/apiserver , grafana/grafana/pkg/promlib , grafana/grafana/pkg/semconv , grafana/grafana/pkg/storage/unified/apistore , grafana/grafana/pkg/storage/unified/resource , grafana/otel-profiling-go , grafana/sqlds , grafana/tempo , grpc-ecosystem/go-grpc-middleware , grpc/grpc-go , grpc/grpc-go/stats/opentelemetry , hashicorp/consul , hashicorp/hcp-scada-provider , hashicorp/hcp-sdk-go , heroku/x , influxdata/telegraf , kubernetes-sigs/controller-runtime , kubernetes/apiextensions-apiserver , kubernetes/apiserver , kubernetes/component-base , kubernetes/controller-manager , kubernetes/kube-aggregator , kubernetes/kubernetes , lyft/protoc-gen-star , minio , minio/colorjson , minio/object-browser/console , minio/pkg , open-telemetry/opentelemetry-go , open-telemetry/opentelemetry-go-contrib/detectors/gcp , open-telemetry/opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc , open-telemetry/opentelemetry-go-contrib/instrumentation/net/http/httptrace/otelhttptrace , open-telemetry/opentelemetry-go-contrib/instrumentation/net/http/otelhttp , open-telemetry/opentelemetry-go-contrib/propagators/jaeger , open-telemetry/opentelemetry-go-contrib/samplers/jaegerremote , open-telemetry/opentelemetry-go-instrumentation/sdk , open-telemetry/opentelemetry-go/exporters/jaeger , open-telemetry/opentelemetry-go/exporters/otlp/otlpmetric , open-telemetry/opentelemetry-go/exporters/otlp/otlpmetric/otlpmetricgrpc , open-telemetry/opentelemetry-go/exporters/otlp/otlpmetric/otlpmetrichttp , open-telemetry/opentelemetry-go/exporters/otlp/otlptrace , open-telemetry/opentelemetry-go/exporters/otlp/otlptrace/otlptracegrpc , open-telemetry/opentelemetry-go/exporters/otlp/otlptrace/otlptracehttp , open-telemetry/opentelemetry-go/internal/metric , open-telemetry/opentelemetry-go/metric , open-telemetry/opentelemetry-go/sdk , open-telemetry/opentelemetry-go/sdk/export/metric , open-telemetry/opentelemetry-go/sdk/metric , openfga/openfga , ory/x , pressly/goose , prometheus/alertmanager , prometheus/prom2json , prometheus/prometheus , redis/go-redis/redis , redis/rueidis , sagikazarmark/crypt , spf13/afero , spf13/viper , thanos-io/objstore , twmb/franz-go/plugin/kotel
Affected packages:: google.golang.org/api @ 0.203.0 (+399 more)

Release info

Copy page link

Open as a page

Advisory

CLSA-2025:1748945064

Operating system

CentOS 8.4 ELS

Published date

Nov 16, 2014

Project

Linux

Version

2.11.0-1~ubuntu16.04.1+tuxcare.els12

How to fix

Update command:

apt-get update
apt-get --only-upgrade install ansible*

Changelog

Insufficiently Random Passwords Leakage
Debian/patches/CVE-2020-10729.patch: Fix caching of Jinja2 expressions to prevent caching dynamic results
CVE-2020-10729

Packages list

ansible_2.5.1+dfsg-1ubuntu0.1+tuxcare.els6_all.deb

CVE-2026-29181

Severity

Details

Overview

About vulnerability

Details

Statement

Subscribe to updates

Unsubscribe

Contact us

Message Delivered!