Untrusted Search Path in go.opentelemetry.io/otel/sdk

CVE-2026-39883

go.opentelemetry.io/otel/sdk

High

7.3/10

Summary

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 through 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.

Attack Complexity: HIGH
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-426 - Untrusted Search Path

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

References

Advisory
Pull request
Release Note

Advisory Timeline

Published Apr 08, 2026

Untrusted Search Path in go.opentelemetry.io/otel/sdk

CVE-2026-39883

Summary

CWE-426 - Untrusted Search Path

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS