Headline
GHSA-mvpq-2v8x-ww6g: Swift W3C TraceContext vulnerable to a malformed HTTP header causing a crash
Impact
A denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header.
Allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel.
Patches
https://github.com/swift-otel/swift-w3c-trace-context/commit/5da9b143ba6046734de3fa51dafea28290174e4e
Workarounds
Disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a TracingMiddleware).
References
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-23886
Swift W3C TraceContext vulnerable to a malformed HTTP header causing a crash
Package
swift github.com/swift-otel/swift-otel (Swift)
Affected versions
< 1.0.4
swift github.com/swift-otel/swift-w3c-trace-context (Swift)
Description
Published to the GitHub Advisory Database
Jan 21, 2026
Last updated
Jan 21, 2026