Home / Vulnerability Intelligence / CVE-2026-39883

CVE-2026-39883 - Vulnerability Analysis

HighCVSS: 7.0

Last Updated: April 9, 2026

OpenTelemetry-Go - Command Injection

Published: April 8, 2026Updated: April 9, 2026PoC Available

Overview

OpenTelemetry-Go 1.15.0 to 1.42.0 contains a command injection caused by use of bare command name in BSD kenv, letting attackers perform PATH hijacking on BSD and Solaris platforms, exploit requires attacker control over PATH.

Severity & Score

Severity: High

CVSS Score: 7.0

Impact

Attackers can hijack PATH to execute arbitrary commands, potentially leading to remote code execution.

Mitigation

Update to version 1.43.0 or later.

References

http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0
https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-39883
Severity: High
CVSS Score: 7.0
Type: command_injection
Status: confirmed

CWE

CWE-426

CVSS Metrics

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H