Skip to content

fix(security): upgrade OpenTelemetry SDK to v1.43.0 to fix PATH hijacking vulnerability#725

Merged
michaeljguarino merged 1 commit intomainfrom
agent/upgrade-otel-sdk-1775925905
Apr 11, 2026
Merged

fix(security): upgrade OpenTelemetry SDK to v1.43.0 to fix PATH hijacking vulnerability#725
michaeljguarino merged 1 commit intomainfrom
agent/upgrade-otel-sdk-1775925905

Conversation

@plural-copilot
Copy link
Copy Markdown
Contributor

@plural-copilot plural-copilot Bot commented Apr 11, 2026

Summary

Upgraded OpenTelemetry Go SDK from v1.40.0 to v1.43.0 to address CVE-2026-24051, a PATH hijacking vulnerability affecting BSD and Solaris platforms.

Changes

  • go.opentelemetry.io/otel/sdk: v1.40.0 → v1.43.0 (primary security fix)
  • go.opentelemetry.io/otel: v1.40.0 → v1.43.0
  • go.opentelemetry.io/otel/metric: v1.40.0 → v1.43.0
  • go.opentelemetry.io/otel/sdk/metric: v1.40.0 → v1.43.0
  • go.opentelemetry.io/otel/trace: v1.40.0 → v1.43.0
  • golang.org/x/sys: v0.41.0 → v0.42.0 (transitive dependency)

Vulnerability Details

The vulnerability (CVE-2026-24051) in OpenTelemetry-Go versions 1.15.0 to 1.42.0 allowed PATH hijacking attacks on BSD and Solaris platforms. While a previous fix addressed the Darwin ioreg command to use an absolute path, the BSD kenv command was left using a bare name, enabling the same attack vector on BSD and Solaris systems.

This has been fixed in version 1.43.0.

Test plan

  • Updated go.mod and go.sum files
  • Verified dependency resolution with go mod tidy
  • Confirmed all dependencies can be downloaded (go mod download)
  • Full test suite to be run by CI

🤖 Generated with Claude Code

@michaeljguarino @claude
fix(security): upgrade go.opentelemetry.io/otel/sdk to v1.43.0 to fix…
1fe15ea 
… PATH hijacking vulnerability

Upgraded OpenTelemetry Go SDK from v1.40.0 to v1.43.0 to address CVE-2026-24051.
The vulnerability allowed PATH hijacking attacks on BSD and Solaris platforms due to
the BSD kenv command not using an absolute path.

Also upgraded related OpenTelemetry packages to maintain compatibility:
- go.opentelemetry.io/otel: v1.40.0 -> v1.43.0
- go.opentelemetry.io/otel/metric: v1.40.0 -> v1.43.0
- go.opentelemetry.io/otel/sdk/metric: v1.40.0 -> v1.43.0
- go.opentelemetry.io/otel/trace: v1.40.0 -> v1.43.0

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@michaeljguarino michaeljguarino added the enhancement New feature or request label Apr 11, 2026
@michaeljguarino michaeljguarino merged commit 8c79c4e into main Apr 11, 2026
14 of 15 checks passed
@michaeljguarino michaeljguarino deleted the agent/upgrade-otel-sdk-1775925905 branch April 11, 2026 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaeljguarino michaeljguarino michaeljguarino approved these changes

@zreigz zreigz Awaiting requested review from zreigz zreigz is a code owner

@floreks floreks Awaiting requested review from floreks floreks is a code owner

@maciaszczykm maciaszczykm Awaiting requested review from maciaszczykm maciaszczykm is a code owner

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaeljguarino