CVE-2026-44967 is a vulnerability in the opentelemetry-cpp library affecting its OTLP HTTP exporters, which fail to impose any limit on the size of HTTP responses they read. This means a malicious or compromised server could send an oversized response, potentially causing excessive memory consumption or a denial of service in the consuming application. The issue is particularly relevant to Azure environments where OpenTelemetry is used for observability and telemetry collection.

Security Architect’s Take: Review any Azure workloads or services using opentelemetry-cpp with OTLP HTTP exporters and apply the patched version of the library as soon as it is available; in the interim, ensure telemetry exporters only communicate with trusted, network-controlled endpoints to reduce exposure to malicious response payloads.

Original advisory: CVE-2026-44967 opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response