FKIE_CVE-2026-23886

Vulnerability from fkie_nvd - Published: 2026-01-19 21:15 - Updated: 2026-06-17 10:22
Severity
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Swift W3C TraceContext is a Swift implementation of the W3C Trace Context standard, and Swift OTel is an OpenTelemetry Protocol (OTLP) backend for Swift Log, Swift Metrics, and Swift Distributed Tracing. Prior to Swift W3C TraceContext version 1.0.0-beta.5 and Swift OTel version 1.0.4, a denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header. This allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel. Version 1.0.0-beta.5 of Swift W3C TraceContext and version 1.0.4 of Swift OTel contain a patch for this issue. As a workaround, disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a `TracingMiddleware`).
References
security-advisories@github.comhttps://github.com/swift-otel/swift-otel/releases/tag/1.0.4
security-advisories@github.comhttps://github.com/swift-otel/swift-w3c-trace-context/commit/5da9b143ba6046734de3fa51dafea28290174e4e
security-advisories@github.comhttps://github.com/swift-otel/swift-w3c-trace-context/releases/tag/1.0.0-beta.5
security-advisories@github.comhttps://github.com/swift-otel/swift-w3c-trace-context/security/advisories/GHSA-mvpq-2v8x-ww6g
Impacted products
Vendor Product Version
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "swift-w3c-trace-context",
          "vendor": "swift-otel",
          "versions": [
            {
              "status": "affected",
              "version": "swift-otel \u003c 1.0.4"
            },
            {
              "status": "affected",
              "version": "swift-w3c-trace-context \u003c 1.0.0-beta.5"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Swift W3C TraceContext is a Swift implementation of the W3C Trace Context standard, and Swift OTel is an OpenTelemetry Protocol (OTLP) backend for Swift Log, Swift Metrics, and Swift Distributed Tracing. Prior to Swift W3C TraceContext version 1.0.0-beta.5 and Swift OTel version 1.0.4, a denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header. This allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel. Version 1.0.0-beta.5 of Swift W3C TraceContext and version 1.0.4 of Swift OTel contain a patch for this issue. As a workaround, disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a `TracingMiddleware`)."
    },
    {
      "lang": "es",
      "value": "Swift W3C TraceContext es una implementaci\u00f3n en Swift del est\u00e1ndar W3C Trace Context, y Swift OTel es un backend del Protocolo OpenTelemetry (OTLP) para Swift Log, Swift Metrics y Swift Distributed Tracing. Antes de Swift W3C TraceContext versi\u00f3n 1.0.0-beta.5 y Swift OTel versi\u00f3n 1.0.4, una vulnerabilidad de denegaci\u00f3n de servicio debido a una validaci\u00f3n de entrada incorrecta permite a un atacante remoto bloquear el servicio a trav\u00e9s de un encabezado HTTP malformado. Esto permite bloquear el proceso con datos provenientes de la red cuando se usa con, por ejemplo, un servidor HTTP. La forma m\u00e1s com\u00fan de usar Swift W3C Trace Context es a trav\u00e9s de Swift OTel. La versi\u00f3n 1.0.0-beta.5 de Swift W3C TraceContext y la versi\u00f3n 1.0.4 de Swift OTel contienen un parche para este problema. Como soluci\u00f3n alternativa, deshabilite Swift OTel o el c\u00f3digo que extrae la informaci\u00f3n de rastreo de un encabezado entrante (como un \u0027TracingMiddleware\u0027)."
    }
  ],
  "id": "CVE-2026-23886",
  "lastModified": "2026-06-17T10:22:15.497",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-23886",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-01-21T20:46:16.441110Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-01-19T21:15:52.597",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/swift-otel/swift-otel/releases/tag/1.0.4"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/swift-otel/swift-w3c-trace-context/commit/5da9b143ba6046734de3fa51dafea28290174e4e"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/swift-otel/swift-w3c-trace-context/releases/tag/1.0.0-beta.5"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/swift-otel/swift-w3c-trace-context/security/advisories/GHSA-mvpq-2v8x-ww6g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.