Issued:

2026-04-21

Updated:

2026-04-21

RHSA-2026:9388 - Red Hat build of OpenTelemetry 3.9.2 release

Synopsis

Red Hat build of OpenTelemetry 3.9.2 release

Type/Severity

Security Advisory Important

Topic

Red Hat build of OpenTelemetry 3.9.2 has been released

Description

This release of the Red Hat build of OpenTelemetry provides security improvements.

Breaking changes:

• None

Deprecations:

• None

Technology Preview features:

• None

Enhancements:

• None

Bug fixes:

• XPath library vulnerability is fixed: Previously, the 'github.com/antchfx/xpath' library was vulnerable to a denial of service (DoS) attack. This issue occurred because specially crafted boolean XPath expressions that evaluated to true caused an infinite loop in the 'logicalQuery.Select' function, leading to 100% CPU utilization. With this update, the XPath library properly handles these expressions and prevents infinite loops. As a result, the system is no longer vulnerable to this DoS condition. For more information, see https://access.redhat.com/security/cve/cve-2026-32287.

• gRPC-Go authorization bypass vulnerability is fixed: Previously, gRPC-Go was vulnerable to an authorization bypass attack. This issue occurred because the HTTP/2 ':path' pseudo-header was not properly validated. Remote attackers could send raw HTTP/2 frames with a malformed ':path' that omitted the mandatory leading slash to bypass defined security policies. With this update, gRPC-Go properly validates the ':path' pseudo-header and rejects malformed requests. As a result, attackers can no longer bypass security policies to gain unauthorized access to services or disclose information. For more information, see https://access.redhat.com/security/cve/cve-2026-33186.

• Go JOSE denial of service vulnerability is fixed: Previously, the Go JOSE library for handling JSON Web Encryption (JWE) objects was vulnerable to a denial of service (DoS) attack. This issue occurred because the application failed when decrypting a specially crafted JWE object that specified a key wrapping algorithm but contained an empty encrypted key field. With this update, Go JOSE properly validates the encrypted key field before decryption. As a result, the application no longer crashes when processing malformed JWE objects, and the service remains available to legitimate users. For more information, see https://access.redhat.com/security/cve/cve-2026-34986.

Known issues:

• The filesystem scraper does not produce the system.filesystem.inodes.usage and system.filesystem.usage metrics in the Host Metrics Receiver after upgrading from Collector version 0.142.0 to 0.143.0 or later. No known workaround exists. For more information, see https://issues.redhat.com/browse/TRACING-5963.

Solution

For details on how to apply this update, refer to:

This content is not included.https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators

Affected Products

Fixes

(none)

CVEs

• CVE-2026-32287
• CVE-2026-33186
• CVE-2026-34986

References

• https://access.redhat.com/security/updates/classification/

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at Security Contacts and Procedures.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.