Vulnerability CVE-2026-24051: Information

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.

Severity: HIGH (7.0)
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-24051
Published: Feb. 2, 2026
Modified: Feb. 27, 2026
Error type identifier: CWE-426

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
cert-managersisyphus1.19.4-alt11.19.4-alt1ALT-PU-2026-3881-2409645Fixed
cert-managersisyphus_riscv641.19.4-alt11.19.4-alt1ALT-PU-2026-3938-1-Fixed
cert-managersisyphus_loongarch641.19.4-alt11.19.4-alt1ALT-PU-2026-3961-1-Fixed
cmctlsisyphus2.4.1-alt12.4.1-alt1ALT-PU-2026-3883-2409645Fixed
cmctlsisyphus_riscv642.4.1-alt12.4.1-alt1ALT-PU-2026-3937-1-Fixed
cmctlsisyphus_loongarch642.4.1-alt12.4.1-alt1ALT-PU-2026-3963-1-Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53
  • Patch
https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq
  • Patch
  • Vendor Advisory
GHSA-9h8m-3fm2-qjrq
      1. cpe:2.3:a:linuxfoundation:opentelemetry-go:*:*:*:*:*:go:*:*
        Start including
        1.21.0
        End excluding
        1.40.0
    VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
    Version: v26.2.2
    Back to top