fix(security/medium): update module go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to v0.19.0 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	v0.16.0 → v0.19.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	v0.17.0 → v0.19.0

---

opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

CVE-2026-39882 / GHSA-w8rr-5gcm-pp58

More information

Details

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

• exporters/otlp/otlptrace/otlptracehttp/client.go:199
• exporters/otlp/otlptrace/otlptracehttp/client.go:230
• exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
• exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
• exporters/otlp/otlplog/otlploghttp/client.go:190
• exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
• go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58
• https://nvd.nist.gov/vuln/detail/CVE-2026-39882
• https://github.com/open-telemetry/opentelemetry-go/pull/8108
• https://github.com/open-telemetry/opentelemetry-go
• http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp)

v0.19.0

Compare Source

v0.18.0

Compare Source

v0.17.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[renovate-sh-app]

ℹ️ Artifact update notice

File name: dagger/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/otel/log	v0.17.0 -> v0.19.0
go.opentelemetry.io/otel/sdk/log	v0.17.0 -> v0.19.0

[cla-assistant]

All committers have signed the CLA.

[renovate-sh-app]

Rebase requested. Renovate is processing this repository now.

[renovate-sh-app]

Rebase requested. Renovate is processing this repository now.

[NickAnge]

https://github.com/grafana/deployment_tools/issues/586150#issuecomment-4441647426