Vulnerabilities ›

CVE-2026-39883

High ⚡ Exploit Available

CWE-426 — Weakness Type

                    Published: Apr 8, 2026                      ·  Modified: Apr 15, 2026                      ·  Source: NVD                

CVSS v3

7.0

🔗 NVD Official

📄 Description (English)

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.

🤖 AI Executive Summary

OpenTelemetry-Go versions 1.15.0 to 1.42.0 contain a PATH hijacking vulnerability in BSD and Solaris platforms through the kenv command, allowing arbitrary code execution. The vulnerability affects observability infrastructure used by organizations for monitoring and tracing applications.

📄 Description (Arabic)

تحتوي نسخ OpenTelemetry-Go من 1.15.0 إلى 1.42.0 على ثغرة اختراق PATH تؤثر على أنظمة BSD و Solaris من خلال أمر kenv. يمكن للمهاجمين تنفيذ أكواد عشوائية بامتيازات العملية المتأثرة. تم إصلاح الثغرة في الإصدار 1.43.0.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 10, 2026 10:18

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: medium

🏢 Affected Saudi Sectors

telecom banking government healthcare

🎯 MITRE ATT&CK Techniques

T1574.008 T1036.003 T1547.001

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Upgrade OpenTelemetry-Go to version 1.43.0 or later immediately. Review and validate all dependencies using OpenTelemetry-Go in your supply chain. Implement strict PATH environment controls and code review processes for observability components.

🔧 خطوات المعالجة (العربية)

قم بترقية OpenTelemetry-Go إلى الإصدار 1.43.0 أو أحدث فوراً. راجع والتحقق من جميع المكتبات التي تستخدم OpenTelemetry-Go في سلسلة التوريد. طبق عناصر تحكم صارمة في متغيرات PATH البيئية وعمليات مراجعة الأكواد لمكونات المراقبة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

4.1.1 4.2.1

🔵 SAMA CSF

ID.SC-4 PR.DS-6

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5

🔗 References & Sources 2

🔗

http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0

security-advisories@github.com

Release Notes

🔗

https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx

security-advisories@github.com

Exploit Third Party Advisory

📦 Affected Products / CPE 1 entries

opentelemetry:opentelemetry

📊 CVSS Score

7.0

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityH — High

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.0

CWECWE-426

EPSS0.01%

Exploit ✓ Yes

Patch ✗ No

Published 2026-04-08

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

exploit-available CWE-426

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-39883

💬 Comments

Introduce Yourself

Sign In Required