Snapshot() always passes Activity.Current to the new OtelPropagationContext, ignoring the existing _pinnedActivity field. If Snapshot() is called on a context that was already pinned, the resulting snapshot may reference a different (or null) activity than the original, breaking the documented TOCTOU guarantee that 'all values fixed at the current instant' relative to the source.

Also found at:

• src/Sentry.OpenTelemetry.Exporter/OtelPropagationContext.cs:30-34

GetBaggageHeader iterates Current?.Baggage directly. Activity.Baggage is implemented as a linked list and Activity.AddBaggage may mutate it from another thread. Concurrent enumeration during mutation can throw InvalidOperationException or yield inconsistent items, leading to runtime errors when constructing baggage headers for outbound requests.

The HttpClientFactory delegate constructs a new HttpClient via new HttpClient() without configuring a timeout and without any disposal pattern. While OpenTelemetry's OtlpExporter typically caches and reuses the client, the absence of an explicit timeout means a hung Sentry endpoint can stall the exporter indefinitely, and any code path that recreates the client (e.g., reload or reconfigure) will leak the underlying HttpMessageHandler/sockets. Under sustained failure conditions this can contribute to resource exhaustion (DoS).

Sdk.SetDefaultTextMapPropagator(defaultTextMapPropagator) is a process-wide side effect executed unconditionally inside an extension method that callers would reasonably expect to only configure the supplied TracerProviderBuilder. If the user has already configured a propagator, or calls AddSentryOtlpExporter on multiple builders, the last call silently overrides previously installed propagators, potentially breaking distributed tracing context propagation in unrelated parts of the application.