Skip to content

[HIGH] fix: CVE-2026-29181 — bump go.opentelemetry.io/otel#123

Open
Pattern Security Automation (pattern-security-automation) wants to merge 1 commit into
mainfrom
fix/wiz-cve-2026-29181-df8aaee3
Open

[HIGH] fix: CVE-2026-29181 — bump go.opentelemetry.io/otel#123
Pattern Security Automation (pattern-security-automation) wants to merge 1 commit into
mainfrom
fix/wiz-cve-2026-29181-df8aaee3

Conversation

@pattern-security-automation

Supply Chain Vulnerability — Auto-Remediation PR

This PR was automatically generated by Pattern Security Automation.
Please review the dependency change and ensure CI passes before merging.


CVE Details

Field Value
CVE CVE-2026-29181
Severity HIGH
Repository patterninc/heimdall
Vulnerable package go.opentelemetry.io/otel
Fixed version 1.41.0
Dependency type Direct
Previous version v1.38.0
Language go

What Changed

go.opentelemetry.io/otel: v1.38.01.41.0

  • go.mod

Lock File Status

Lock file update failed — manual regen required

Error: Lock regen timed out after 180s for patterninc/heimdall

CI Validation

This PR relies on the repository's existing CI pipeline to validate that the
dependency update does not break tests. Please ensure all checks pass before merging.

False positive?

If you've reviewed this and the CVE is not actually exploitable here, add the
wiz-false-positive label to this PR before closing it. The auto-remediation
pipeline will record the false positive, stop re-flagging this CVE, and (if enabled)
mark it rejected in Wiz.

AI Triage Analysis

Verdict: Needs Review

Reasoning: The package go.opentelemetry.io/otel v1.38.0 is present as an indirect dependency in go.mod (below the fixed version 1.41.0), pulled in transitively via github.com/hladush/go-telemetry which is directly imported across multiple source files (e.g., internal/pkg/database/slice.go, internal/pkg/heimdall/auth.go, internal/pkg/heimdall/cluster_dal.go). Only 5 of ~149 source files were sampled, so it is not possible to confirm with certainty whether the specific vulnerable code path in go.opentelemetry.io/otel is exercised. The telemetry package is actively used throughout the codebase via telemetry.NewMethod, but whether that triggers the vulnerable functionality in otel depends on the exact CVE details (not fully disclosed here as CVE-2026-29181 is a future/fictional identifier), warranting further review.

References


Auto-generated by Pattern Security Automation

CVE: CVE-2026-29181
Component: go.opentelemetry.io/otel
Fixed version: 1.41.0
Manifest: go.mod
Dependency type: direct

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR is an auto-generated supply-chain remediation intended to address CVE-2026-29181 by bumping the Go OpenTelemetry dependency used by the repo.

Changes:

  • Bumps go.opentelemetry.io/otel in go.mod from v1.38.0 to v1.41.0.
  • Leaves the OpenTelemetry trace submodule pinned to an older version (needs alignment).
  • Does not include the corresponding go.sum regeneration (per PR metadata, lock regen timed out).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread go.mod
github.com/zeebo/xxh3 v1.0.2 // indirect
go.opentelemetry.io/otel v1.38.0 // indirect
go.opentelemetry.io/otel v1.41.0 // indirect
go.opentelemetry.io/otel/trace v1.38.0 // indirect
Comment thread go.mod
github.com/x448/float16 v0.8.4 // indirect
github.com/zeebo/xxh3 v1.0.2 // indirect
go.opentelemetry.io/otel v1.38.0 // indirect
go.opentelemetry.io/otel v1.41.0 // indirect
Comment thread go.mod
github.com/x448/float16 v0.8.4 // indirect
github.com/zeebo/xxh3 v1.0.2 // indirect
go.opentelemetry.io/otel v1.38.0 // indirect
go.opentelemetry.io/otel v1.41.0 // indirect
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants