VDB
CVE-2026-39883
CVE-2026-39883
PUBLISHED
CVSS 7.300000190734863 HIGH
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.
EPSS 0.01% · 1.4th percentile
Risk Scores
CVSS 4.0
7.300000190734863
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.01%
1.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| open-telemetry | opentelemetry-go | >= 1.15.0, < 1.43.0 |
| go.opentelemetry.io | otel/sdk | 1.15.0 |
Exploit Intelligence
- https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx (vulncheck-nvd)
- http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0 (circl)
- v0.1.14.ru.yml (github-poc)
- v0.1.14.ru.yml (github-poc)
- v0.1.14.ru.yml (github-poc)
- v0.1.14.ru.yml (github-poc)
- v0.1.14.ru.yml (github-poc)
- v0.1.14.yml (github-poc)
- v0.1.14.yml (github-poc)
- v0.1.14.yml (github-poc)
…and 22 more exploits
Timeline
- Apr 8, 2026 CVE Published
- Apr 9, 2026 CVE Updated
- Apr 9, 2026 Security Advisory
- Apr 11, 2026 EPSS Score
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
References
- https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx url
- http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0 url
- https://github.com/open-telemetry/opentelemetry-go package
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37439 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37451 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37445 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37460 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37449 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37450 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37466 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37468 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37444 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37461 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37459 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37446 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37465 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37448 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37447 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37463 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37452 advisory
…and 2 more