What is GHSA-8rrq-wcg8-cv5q?

GHSA-8rrq-wcg8-cv5q is a security advisory published by GitHub Security Advisories with Medium severity. OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages

Which CVE IDs does GHSA-8rrq-wcg8-cv5q cover?

GHSA-8rrq-wcg8-cv5q covers the following CVE IDs: CVE-2026-45679. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-8rrq-wcg8-cv5q?

GHSA-8rrq-wcg8-cv5q has a CVSS v3 base score of 6.5, published by GitHub Security Advisories.

Which products are affected by GHSA-8rrq-wcg8-cv5q?

GHSA-8rrq-wcg8-cv5q affects 1 product, including: go/go.opentelemetry.io/obi:\u003c 0.9.0.

GHSA-8rrq-wcg8-cv5qMediumCVSS 6.5

OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-45679 →

📋 Description

### Summary OBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis systems. ### Details In [pkg/ebpf/common/redis_detect_transform.go](https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/4f35facce2fe611319672595838ab875490f404d/pkg/components/ebpf/common/redis_detect_transform.go#L60-L74), `getRedisError` trims the raw error buffer and stores it directly in `request.DBError.Description`. Later, [pkg/appolly/app/request/span.go](https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/4f35facce2fe611319672595838ab875490f404d/pkg/app/request/span.go#L347-L352) returns that description as the exported status message for Redis spans whenever the span status is non-zero. There is no opt-in control or sanitization beyond CRLF trimming. As a result, raw Redis error text becomes part of OTLP-exported status metadata by default. ### PoC Local request-layer testing recorded a status message containing `ERR invalid password for user bob secret=TOPSECRET`, which shows that unfiltered Redis error text reaches the exported status message. Use a vulnerable build: ```bash git checkout v0.0.0-rc.1+build make build ``` Start Redis and OBI: ```bash docker run --rm -p 6379:6379 redis:7 sudo ./bin/obi ``` Send a command that causes Redis to return an error containing caller-supplied text: ```bash redis-cli -p 6379 'NOTACMD my-secret-token-123' ``` Capture the exported span or inspect the local telemetry output. On a vulnerable build, the span status message contains the Redis error text, including the supplied command fragment. This demonstrates that raw Redis error text is exported into telemetry by default and that values embedded in that text, including data supplied unintentionally by a caller, can be carried into tracing systems. ### Impact This is an information disclosure and telemetry injection issue. It affects any deployment that traces Redis traffic and exports spans to collectors, logs, or dashboards. Sensitive values, tokens, or PII present in Redis error text can be exfiltrated into telemetry systems, and untrusted text can contaminate downstream analysis.

🎯 Affected products1

go/go.opentelemetry.io/obi:< 0.9.0

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products1

🔗 References (2)