Summary
opentelemetry-proto currently pins protobuf>=5.0, <7.0, which prevents downstream users from adopting protobuf>=7.0. Protobuf 7.0 contains the fix for CVE-2026-8994 (CVSS 7.58) — a DoS vulnerability in google.protobuf.json_format.ParseDict() that allows a malicious payload to bypass input validation.
Current state
opentelemetry-proto/pyproject.toml: protobuf>=5.0, <7.0- Latest protobuf: 7.34.1
googleapis-common-protos already allows protobuf <8.0.0, so it is not a blocker.
Request
Bump the upper bound in opentelemetry-proto from <7.0 to <8.0, mirroring the prior bump in PR #4620 (issue #4563).
Impact
Unblocks users of opentelemetry-exporter-otlp (and its proto-grpc / proto-common / proto-http variants) from receiving the CVE fix without pinning around OTel constraints.
References
Summary
opentelemetry-protocurrently pinsprotobuf>=5.0, <7.0, which prevents downstream users from adoptingprotobuf>=7.0. Protobuf 7.0 contains the fix for CVE-2026-8994 (CVSS 7.58) — a DoS vulnerability ingoogle.protobuf.json_format.ParseDict()that allows a malicious payload to bypass input validation.Current state
opentelemetry-proto/pyproject.toml:protobuf>=5.0, <7.0googleapis-common-protosalready allowsprotobuf <8.0.0, so it is not a blocker.Request
Bump the upper bound in
opentelemetry-protofrom<7.0to<8.0, mirroring the prior bump in PR #4620 (issue #4563).Impact
Unblocks users of
opentelemetry-exporter-otlp(and its proto-grpc / proto-common / proto-http variants) from receiving the CVE fix without pinning around OTel constraints.References