๐Ÿ” CVE Alert

CVE-2026-54704

MEDIUM 6.5

OpenTelemetry Java Instrumentation: JDBC Auto-Instrumentation Logging Clear-Text Passwords

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends. This issue has been fixed in version 2.28.0.

CWE CWE-532
Vendor open-telemetry
Product opentelemetry-java-instrumentation
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for open-telemetry opentelemetry-java-instrumentation

Be the first to know when new medium vulnerabilities affecting open-telemetry opentelemetry-java-instrumentation are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

open-telemetry / opentelemetry-java-instrumentation
< 2.28.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-rwqx-fvqh-6wm4