GHSA-8RRQ-WCG8-CV5Q

Vulnerability from github – Published: 2026-05-18 17:56 – Updated: 2026-06-09 10:57
VLAI
Summary
OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages
Details

Summary

OBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis systems.

Details

In pkg/ebpf/common/redis_detect_transform.go, getRedisError trims the raw error buffer and stores it directly in request.DBError.Description.

Later, pkg/appolly/app/request/span.go returns that description as the exported status message for Redis spans whenever the span status is non-zero.

There is no opt-in control or sanitization beyond CRLF trimming. As a result, raw Redis error text becomes part of OTLP-exported status metadata by default.

PoC

Local request-layer testing recorded a status message containing ERR invalid password for user bob secret=TOPSECRET, which shows that unfiltered Redis error text reaches the exported status message.

Use a vulnerable build:

git checkout v0.0.0-rc.1+build
make build

Start Redis and OBI:

docker run --rm -p 6379:6379 redis:7
sudo ./bin/obi

Send a command that causes Redis to return an error containing caller-supplied text:

redis-cli -p 6379 'NOTACMD my-secret-token-123'

Capture the exported span or inspect the local telemetry output. On a vulnerable build, the span status message contains the Redis error text, including the supplied command fragment. This demonstrates that raw Redis error text is exported into telemetry by default and that values embedded in that text, including data supplied unintentionally by a caller, can be carried into tracing systems.

Impact

This is an information disclosure and telemetry injection issue. It affects any deployment that traces Redis traffic and exports spans to collectors, logs, or dashboards. Sensitive values, tokens, or PII present in Redis error text can be exfiltrated into telemetry systems, and untrusted text can contaminate downstream analysis.

Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.opentelemetry.io/obi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45679"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:56:15Z",
    "nvd_published_at": "2026-06-02T16:16:42Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nOBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis systems.\n\n### Details\n\nIn [pkg/ebpf/common/redis_detect_transform.go](https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/4f35facce2fe611319672595838ab875490f404d/pkg/components/ebpf/common/redis_detect_transform.go#L60-L74), `getRedisError` trims the raw error buffer and stores it directly in `request.DBError.Description`.\n\nLater, [pkg/appolly/app/request/span.go](https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/4f35facce2fe611319672595838ab875490f404d/pkg/app/request/span.go#L347-L352) returns that description as the exported status message for Redis spans whenever the span status is non-zero.\n\nThere is no opt-in control or sanitization beyond CRLF trimming. As a result, raw Redis error text becomes part of OTLP-exported status metadata by default.\n\n### PoC\n\nLocal request-layer testing recorded a status message containing `ERR invalid password for user bob secret=TOPSECRET`, which shows that unfiltered Redis error text reaches the exported status message.\n\nUse a vulnerable build:\n\n```bash\ngit checkout v0.0.0-rc.1+build\nmake build\n```\n\nStart Redis and OBI:\n\n```bash\ndocker run --rm -p 6379:6379 redis:7\nsudo ./bin/obi\n```\n\nSend a command that causes Redis to return an error containing caller-supplied text:\n\n```bash\nredis-cli -p 6379 \u0027NOTACMD my-secret-token-123\u0027\n```\n\nCapture the exported span or inspect the local telemetry output. On a vulnerable build, the span status message contains the Redis error text, including the supplied command fragment. This demonstrates that raw Redis error text is exported into telemetry by default and that values embedded in that text, including data supplied unintentionally by a caller, can be carried into tracing systems.\n\n### Impact\n\nThis is an information disclosure and telemetry injection issue. It affects any deployment that traces Redis traffic and exports spans to collectors, logs, or dashboards. Sensitive values, tokens, or PII present in Redis error text can be exfiltrated into telemetry systems, and untrusted text can contaminate downstream analysis.",
  "id": "GHSA-8rrq-wcg8-cv5q",
  "modified": "2026-06-09T10:57:58Z",
  "published": "2026-05-18T17:56:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-8rrq-wcg8-cv5q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45679"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.