CVE-2026-41483 — MEDIUM (5.9)

Q: How severe is CVE-2026-41483?

CVE-2026-41483 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-41483?

Check the references section above for vendor advisories and patch information. Affected products include: Opentelemetry Opentelemetry.Resources.Azure.

Vulnerability Description

OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, disable the Azure VM resource detector or use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint. This issue is fixed in version 1.15.1-beta.1, which streams responses rather than buffering them entirely in memory and ignores responses larger than 4 MiB.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Opentelemetry	Opentelemetry.Resources.Azure	<= 1.15.0

Related Weaknesses (CWE)

CWE-770

References

https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4121Issue TrackingPatch
https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisoriPatchVendor Advisory

FAQ

What is CVE-2026-41483?

CVE-2026-41483 is a vulnerability with a CVSS score of 5.9 (MEDIUM). OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instan...

How severe is CVE-2026-41483?

CVE-2026-41483 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-41483?

Check the references section above for vendor advisories and patch information. Affected products include: Opentelemetry Opentelemetry.Resources.Azure.