Skip to content

fix(cve): CVE-2026-24051 - bump go.opentelemetry.io/otel to v1.40.0 [release-v0.43.1]#2871

Open
divyansh42 wants to merge 1 commit into
release-v0.43.1from
fix/cve-2026-24051-otel-sdk-resource-release-v0.43.1-attempt-1
Open

fix(cve): CVE-2026-24051 - bump go.opentelemetry.io/otel to v1.40.0 [release-v0.43.1]#2871
divyansh42 wants to merge 1 commit into
release-v0.43.1from
fix/cve-2026-24051-otel-sdk-resource-release-v0.43.1-attempt-1

Conversation

@divyansh42
Copy link
Copy Markdown
Member

@divyansh42 divyansh42 commented May 17, 2026

CVE Details

Field Value
CVE ID CVE-2026-24051
GHSA GHSA-9h8m-3fm2-qjrq
Severity HIGH
CVSS Score 7.3
Affected Package go.opentelemetry.io/otel/sdk/resource
Vulnerable Range >= 1.21.0, <= 1.39.0
Fix Version 1.40.0

Fix Summary

Bumps all go.opentelemetry.io/otel packages from v1.39.0v1.40.0:

  • go.opentelemetry.io/otel
  • go.opentelemetry.io/otel/metric
  • go.opentelemetry.io/otel/sdk
  • go.opentelemetry.io/otel/sdk/metric
  • go.opentelemetry.io/otel/trace

The vulnerability (GHSA-9h8m-3fm2-qjrq) allows Arbitrary Code Execution via local PATH Hijacking on macOS/Darwin through kenv in otel/sdk/resource. v1.40.0 is the minimum patched version.

Test Results

⚠️ No automated tests run — dependency bump only. Manual verification recommended.

Breaking Changes

None expected. v1.40.0 is a minor version bump with backwards-compatible API changes.

Risk Assessment

Low — indirect dependency upgrade within the same major version. The vulnerability is OS-specific (macOS/Darwin) and exploitable only via local PATH manipulation.

Jira References

SRVKP-10615

Verification Steps

  • Confirm go.opentelemetry.io/otel packages are at v1.40.0 in go.mod
  • Run go mod verify to confirm all modules verified
  • Confirm no build failures

🤖 Generated with Claude Code via Ambient CVE Fixer

@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 17, 2026

@divyansh42: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label May 17, 2026
@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 17, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign piyush-garg after the PR has been reviewed.
You can assign the PR to them by writing /assign @piyush-garg in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 17, 2026
@divyansh42
Copy link
Copy Markdown
Member Author

divyansh42 commented May 18, 2026

/retest

@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented May 18, 2026
edited
Loading

CLA Missing ID

  • ❌ The email address for the commit (cb8ea73) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please visit our EasyCLA portal and chat with our support bot.

@tekton-robot tekton-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 18, 2026
@claude
fix(cve): CVE-2026-24051 - bump go.opentelemetry.io/otel to v1.40.0 […
cb8ea73 
…release-v0.43.1]

Bumps go.opentelemetry.io/otel from v1.39.0 to v1.40.0 to address
CVE-2026-24051 (GHSA-9h8m-3fm2-qjrq) — PATH hijacking via SDK resource
detection on Windows.

Also runs go mod vendor to sync vendor/modules.txt so CI's vendor-aware
build mode passes.

Jira: SRVKP-12038
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@divyansh42 divyansh42 force-pushed the fix/cve-2026-24051-otel-sdk-resource-release-v0.43.1-attempt-1 branch from ce725da to cb8ea73 Compare May 18, 2026 05:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pradeepitm12 pradeepitm12 Awaiting requested review from pradeepitm12

@pratap0007 pratap0007 Awaiting requested review from pratap0007

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@divyansh42 @tekton-robot