CVE-2026-44213

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Exporter.Instana (affected versions not specified)

Description The OpenTelemetry.Exporter.Instana NuGet package fails to validate HTTPS/TLS certificates when sending telemetry to an Instana back-end if a proxy is configured via the INSTANA ENDPOINT PROXY environment variable. The Transport.ConfigureBackendClient() function creates an HttpClient instance that disables TLS server certificate validation. This allows a network attacker to perform a Man-in-the-Middle (MitM) attack—a technique where an attacker intercepts communication between two parties—to expose all OpenTelemetry telemetry data and the Instana API key.

Recommendations Do not configure the INSTANA ENDPOINT PROXY environment variable. As a temporary workaround, restrict the use of the INSTANA ENDPOINT PROXY environment variable to trusted environments only.