CVE-2026-24051

7.0 HIGH
Remote Code Execution

📋 TL;DR

OpenTelemetry-Go SDK versions v1.20.0 through v1.39.0 on macOS/Darwin systems are vulnerable to path hijacking attacks. An attacker with local access can modify the PATH environment variable to execute arbitrary code when the SDK runs the ioreg command for resource detection. This affects any Go application using vulnerable OpenTelemetry SDK versions on macOS.

💻 Affected Systems

Products:
  • OpenTelemetry-Go SDK
Versions: v1.20.0 through v1.39.0
Operating Systems: macOS, Darwin
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects macOS/Darwin systems due to specific ioreg command usage. Linux and Windows systems are not vulnerable.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution with application privileges, potentially leading to data theft, lateral movement, or persistence.

🟠

Likely Case

Local privilege escalation or code execution within the application context, allowing attackers to access sensitive application data or perform unauthorized actions.

🟢

If Mitigated

Limited impact if proper environment controls and least privilege principles are enforced, restricting PATH modification capabilities.

🌐 Internet-Facing: LOW - Requires local access to the system, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Internal attackers with local access to macOS systems running vulnerable applications could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to modify PATH environment variable. No authentication bypass needed beyond local system access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.40.0 and later

Vendor Advisory: https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq

Restart Required: Yes

Instructions:

1. Update OpenTelemetry-Go SDK to v1.40.0 or later using 'go get go.opentelemetry.io/otel@v1.40.0' 2. Rebuild and redeploy affected applications 3. Restart services using the updated SDK

🔧 Temporary Workarounds

Restrict PATH environment modification

macOS

Prevent users from modifying PATH environment variable in application execution context

export PATH=/usr/bin:/bin:/usr/sbin:/sbin
sudo launchctl config system path /usr/bin:/bin:/usr/sbin:/sbin

Disable resource detection

all

Configure OpenTelemetry to skip host ID detection if not required

OTEL_RESOURCE_ATTRIBUTES=host.id=disabled

🧯 If You Can't Patch

  • Implement strict environment variable controls to prevent PATH modification
  • Run applications with minimal privileges and restricted environment access

🔍 How to Verify

Check if Vulnerable:

Check OpenTelemetry-Go SDK version in go.mod or vendor directory for versions between v1.20.0 and v1.39.0

Check Version:

grep 'go.opentelemetry.io/otel' go.mod | grep -E 'v1\.([2-3][0-9]|39)\.[0-9]+'

Verify Fix Applied:

Verify SDK version is v1.40.0 or later and check that the fix commit d45961bcda453fcbdb6469c22d6e88a1f9970a53 is present

📡 Detection & Monitoring

Log Indicators:

  • Unexpected process execution from non-standard paths
  • Failed ioreg command execution with unusual paths

Network Indicators:

  • None - local exploitation only

SIEM Query:

process.name:ioreg AND process.parent.name:(application_name) AND process.path:(NOT /usr/sbin/ioreg)

📊 Metadata

CVE ID: CVE-2026-24051
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-426
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This