Vulnerability Details CVE-2026-42191
OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured. The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path. On multi-user systems where the temporary directory is accessible to other local accounts, this allows an attacker to write crafted *.blob files, read *.blob files written by the application between export failures, or deposit numerous or oversized blob files, degrading retry-loop performance or consuming disk space. This vulnerability is fixed in 1.15.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 1.5%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-42191
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.10.0
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.11.0
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.11.1
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.11.2
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.12.0
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.13.0
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.13.1
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.14.0
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.15.0
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.15.1
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.15.2
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.8.0
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.8.1
-
cpe:2.3:a:opentelemetry:opentelemetry.exporter.opentelemetryprotocol:1.9.0