{"id":"GO-2026-4394","summary":"OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk","details":"OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk","aliases":["CVE-2026-24051","GHSA-9h8m-3fm2-qjrq"],"modified":"2026-02-28T14:43:58.883863Z","published":"2026-02-19T17:28:55Z","related":["CGA-mqpq-rvmw-8rpr"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4394"},"references":[{"type":"ADVISORY","url":"https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq"},{"type":"WEB","url":"https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53"}],"affected":[{"package":{"name":"go.opentelemetry.io/otel/sdk","ecosystem":"Go","purl":"pkg:golang/go.opentelemetry.io/otel/sdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.21.0"},{"fixed":"1.40.0"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4394.json"}}],"schema_version":"1.7.3"}