CVE-2026-54704
OpenTelemetry Java Instrumentation: JDBC Auto-Instrumentation Logging Clear-Text Passwords
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends. This issue has been fixed in version 2.28.0.
| CWE | CWE-532 |
| Vendor | open-telemetry |
| Product | opentelemetry-java-instrumentation |
| Published | Jul 1, 2026 |
| Last Updated | Jul 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for open-telemetry opentelemetry-java-instrumentation
Be the first to know when new medium vulnerabilities affecting open-telemetry opentelemetry-java-instrumentation are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
open-telemetry / opentelemetry-java-instrumentation
< 2.28.0