CVE-2026-45679
OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis systems. This issue has been patched in version 0.9.0.
| CWE | CWE-117 CWE-532 |
| Vendor | open-telemetry |
| Product | opentelemetry-ebpf-instrumentation |
| Published | Jun 2, 2026 |
| Last Updated | Jun 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for open-telemetry opentelemetry-ebpf-instrumentation
Be the first to know when new medium vulnerabilities affecting open-telemetry opentelemetry-ebpf-instrumentation are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
open-telemetry / opentelemetry-ebpf-instrumentation
< 0.9.0