CVE-2026-44967

Description

OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.

How to fix CVE-2026-44967

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Debian/opentelemetry-cpp—no fix listed

Is CVE-2026-44967 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-44967.

Affected packages (1)

from 0

CVSS scores

Source	Version	Severity	Vector
nvd	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-44967