CVE-2026-24051

{"id": "CVE-2026-24051", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2026-02-02T23:16:07.963", "references": [{"url": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-426"}]}], "descriptions": [{"lang": "en", "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0."}, {"lang": "es", "value": "OpenTelemetry-Go es la implementaci\u00f3n de Go de OpenTelemetry. El SDK de Go de OpenTelemetry en la versi\u00f3n v1.20.0-1.39.0 es vulnerable a Secuestro de Ruta (Rutas de B\u00fasqueda No Confiables) en sistemas macOS/Darwin. El c\u00f3digo de detecci\u00f3n de recursos en sdk/resource/host_id.go ejecuta el comando de sistema ioreg utilizando una ruta de b\u00fasqueda. Un atacante con la capacidad de modificar localmente la variable de entorno PATH puede lograr Ejecuci\u00f3n de C\u00f3digo Arbitrario (ACE) dentro del contexto de la aplicaci\u00f3n. Una correcci\u00f3n fue lanzada con la v1.40.0."}], "lastModified": "2026-02-27T20:32:10.693", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:opentelemetry-go:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "D2F3A3DE-73A9-48D9-B3CB-4DE1FB82314B", "versionEndExcluding": "1.40.0", "versionStartIncluding": "1.21.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}