CVE-2026-44213

OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured

Assigner: GitHub_M
Reserved: 05.05.2026 Published: 26.05.2026 Updated: 26.05.2026

The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANA_ENDPOINT_PROXY environment variable. If a network attacker can Man-in-the-Middle (MitM) the proxy connection, all OpenTelemetry telemetry data and the Instana API key are exposed to the attacker. This vulnerability is fixed in 1.1.0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	open-telemetry
Product	opentelemetry-dotnet-contrib
Versions	Version < 1.1.0 is affected

Vendor

open-telemetry

Product

opentelemetry-dotnet-contrib

Versions

Version < 1.1.0 is affected

References

Problem Types

CWE-295: Improper Certificate Validation CWE

CVE-2026-44213 PUBLISHED

OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured

Metrics

Product Status

References

Problem Types