—

GO-2026-5253

OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR in go.opentelemetry.io/obi

Details

OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR in go.opentelemetry.io/obi

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / go.opentelemetry.io/obi

Introduced in: 0.4.0 Fixed in: 0.8.0

Fix go get go.opentelemetry.io/obi@v0.8.0

References

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-8gmg-3w2q-65f4 [ADVISORY]
https://nvd.nist.gov/vuln/detail/CVE-2026-41433 [ADVISORY]
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.8.0 [WEB]