CVE-2026-44213 | THREATINT

Description

The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANA_ENDPOINT_PROXY environment variable. If a network attacker can Man-in-the-Middle (MitM) the proxy connection, all OpenTelemetry telemetry data and the Instana API key are exposed to the attacker. This vulnerability is fixed in 1.1.0.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-26 | Updated 2026-05-26 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-295: Improper Certificate Validation

Product status

< 1.1.0

affected

References

github.com/...ontrib/security/advisories/GHSA-wfr5-454p-mjc2

cve.org (CVE-2026-44213)

nvd.nist.gov (CVE-2026-44213)

Download JSON