What is CVE-2026-41173?

CVE-2026-41173 is a medium-severity vulnerability in Open-telemetry Opentelemetry-dotnet-contrib, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 5.9/10. Published 2026-04-23.

How severe is CVE-2026-41173?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Resource exhaustion in Open-telemetry Opentelemetry-dotnet-contrib

CVE-2026-41173

The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote samplin…

EPSS: 0.000 (4.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Open-telemetry Opentelemetry-dotnet-contrib — versions < 0.1.0-alpha.8

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-28xm-prxc-5866 (x_refsource_CONFIRM)
https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4100 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-41173?: CVE-2026-41173 is a medium-severity vulnerability in Open-telemetry Opentelemetry-dotnet-contrib, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 5.9/10. Published 2026-04-23.
How severe is CVE-2026-41173?: Medium severity. CVSS v3 base score is 5.9 out of 10.