CVE-2026-41310

MEDIUM 5.3

OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.

CWE	CWE-770 CWE-400
Vendor	open-telemetry
Product	opentelemetry-dotnet
Published	May 6, 2026

Stay Ahead of the Next One

Get instant alerts for open-telemetry opentelemetry-dotnet

Be the first to know when new medium vulnerabilities affecting open-telemetry opentelemetry-dotnet are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

open-telemetry / opentelemetry-dotnet

<= 1.15.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m github.com: https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081