{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-07T19:55:53.320","vulnerabilities":[{"cve":{"id":"CVE-2026-24051","sourceIdentifier":"security-advisories@github.com","published":"2026-02-02T23:16:07.963","lastModified":"2026-02-27T20:32:10.693","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0."},{"lang":"es","value":"OpenTelemetry-Go es la implementación de Go de OpenTelemetry. El SDK de Go de OpenTelemetry en la versión v1.20.0-1.39.0 es vulnerable a Secuestro de Ruta (Rutas de Búsqueda No Confiables) en sistemas macOS/Darwin. El código de detección de recursos en sdk/resource/host_id.go ejecuta el comando de sistema ioreg utilizando una ruta de búsqueda. Un atacante con la capacidad de modificar localmente la variable de entorno PATH puede lograr Ejecución de Código Arbitrario (ACE) dentro del contexto de la aplicación. Una corrección fue lanzada con la v1.40.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.0,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-426"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:linuxfoundation:opentelemetry-go:*:*:*:*:*:go:*:*","versionStartIncluding":"1.21.0","versionEndExcluding":"1.40.0","matchCriteriaId":"D2F3A3DE-73A9-48D9-B3CB-4DE1FB82314B"}]}]}],"references":[{"url":"https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}