OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured. The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path. On multi-user systems where the temporary directory is accessible to other local accounts, this allows an attacker to write crafted *.blob files, read *.blob files written by the application between export failures, or deposit numerous or oversized blob files, degrading retry-loop performance or consuming disk space. This vulnerability is fixed in 1.15.3.
PUBLISHED5.2CWE-379
OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry default temp path enables local blob injection for OTLP Exporter
Problem type
Affected products
open-telemetry
opentelemetry-dotnet
>= 1.8.0, < 1.15.3 - AFFECTED
References
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-4625-4j76-fww9
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-4625-4j76-fww9
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7106
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7106
GitHub Security Advisories
GHSA-4625-4j76-fww9
OpenTelemetry's disk retry default temp path enables local blob injection via OTLP Exporter
https://github.com/advisories/GHSA-4625-4j76-fww9Summary
The OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured.
The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path.
On multi-user systems where the temporary directory is accessible to other local accounts, this exposed three attack surfaces:
- Blob injection (integrity): an attacker could write crafted
*.blobfiles into the predictable path; the exporter picks them up on the next retry cycle and forwards them to the configured OTLP endpoint under the application's identity. - Telemetry disclosure (confidentiality): an attacker reads
*.blobfiles written by the application between export failures, recovering encoded telemetry payloads (spans, metric data points, log records). - Resource exhaustion (availability): an attacker deposits numerous or oversized blob files, degrading retry-loop performance or consuming disk space.
Details
Preconditions
OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRYis set todisk.OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATHis not set, causing the exporter to resolve the blob storage root using theSystem.IO.Path.GetTempPath()API.- A local attacker has read or write access to the process' temporary directory (e.g.,
/tmpon Linux, or%TEMP%on a multi-user Windows installation).
Exploit path
- A target application starts with
OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=diskand no explicit blob directory. The exporter resolves the storage root toPath.GetTempPath(), producing paths such as%TEMP%\traces,%TEMP%\metrics, and%TEMP%\logs(or/tmp/tracesetc. on Linux). - Injection scenario: before or during the application's retry window, an attacker writes crafted
*.blobfiles into one of those signal subdirectories. On the next retry interval (by default every 60 seconds),OtlpExporterPersistentStorageTransmissionHandlerscans the directory, loads the attacker-supplied blobs, and forwards them to the configured OTLP endpoint using the application's identity and transport credentials. - Disclosure scenario: the attacker reads
*.blobfiles that the application wrote after a transient export failure, recovering the full serialized telemetry payloads (spans, metric data points, or log records in Protobuf encoding). - DoS scenario: the attacker deposits a large number of oversized blob files in the temporary subdirectories, causing the retry loop to consume excess CPU/IO processing them, potentially exhausting available disk space.
Mitigations
If an immediate upgrade to a patched version is not possible:
- Avoid enabling disk retry in shared environments.
- Configure a dedicated directory with strict ACL/ownership and least privilege.
- Ensure the directory is not shared across tenants/users.
- Monitor for unexpected
*.blobfiles or abnormal retry backlog growth.
Resources
github.com
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-4625-4j76-fww9
github.com
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7106
github.com
https://github.com/open-telemetry/opentelemetry-dotnet/commit/78dffdc5ebdf3dc090fdb94e3f1a32d3d1e26dfd
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-42191
github.com
https://github.com/advisories/GHSA-4625-4j76-fww9
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-42191Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-42191",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-05-12T19:12:03.221Z",
"dateReserved": "2026-04-25T01:53:21.583Z",
"datePublished": "2026-05-12T19:12:03.221Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-05-12T19:12:03.221Z"
},
"title": "OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry default temp path enables local blob injection for OTLP Exporter",
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured. The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path. On multi-user systems where the temporary directory is accessible to other local accounts, this allows an attacker to write crafted *.blob files, read *.blob files written by the application between export failures, or deposit numerous or oversized blob files, degrading retry-loop performance or consuming disk space. This vulnerability is fixed in 1.15.3."
}
],
"affected": [
{
"vendor": "open-telemetry",
"product": "opentelemetry-dotnet",
"versions": [
{
"version": ">= 1.8.0, < 1.15.3",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
"cweId": "CWE-379",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-4625-4j76-fww9",
"name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-4625-4j76-fww9",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7106",
"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7106",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
}
}
]
}
}
}