Home > Vulnerability Database > CVE-2026-24051

Mend.io Vulnerability Database

CVE-2026-24051

Good to know:

Date: February 2, 2026

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.

Severity Score

7.0

Related Resources (5)

Url: https://github.com/open-telemetry/opentelemetry-go

Url: https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53

Url: https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24051

Url: https://www.mend.io/vulnerability-database/CVE-2026-24051

Severity Score

7.0

Weakness Type (CWE)

Untrusted Search Path

CWE-426

Top Fix

Upgrade Version

Upgrade to version github.com/open-telemetry/opentelemetry-go - v1.40.0;https://github.com/open-telemetry/opentelemetry-go.git - v1.40.0

Learn More

CVSS v3.1

Base Score:	7.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24051

Good to know:

Date: February 2, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?