Vulnerability Details CVE-2026-45287
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 6.4%
CVSS Severity
CVSS v3 Score 5.5
Products affected by CVE-2026-45287
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.1
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.10
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.11
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.12
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.13
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.14
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.15
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.16
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.2
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.3
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.4
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.5
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.6
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.7
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.8
-
cpe:2.3:a:opentelemetry:telemetry_schema_files:0.0.9