CVE-2026-44213
OpenTelemetry.Exporter.Instana TLS Certificate Validation Bypass
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opentelemetry | exporter_instana | to 1.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the OpenTelemetry.Exporter.Instana NuGet package versions prior to 1.1.0. When a proxy is configured using the INSTANA_ENDPOINT_PROXY environment variable, the package does not validate the HTTPS/TLS certificates of the proxy connection. This means that if an attacker can perform a Man-in-the-Middle (MitM) attack on the proxy connection, they can intercept all telemetry data sent to the Instana backend, including the Instana API key.
How can this vulnerability impact me? :
If exploited, this vulnerability allows a network attacker to intercept sensitive telemetry data and the Instana API key by performing a Man-in-the-Middle attack on the proxy connection. This exposure can lead to unauthorized access to telemetry information and potentially allow the attacker to misuse the Instana API key, compromising the security and integrity of your telemetry data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the OpenTelemetry.Exporter.Instana NuGet package to version 1.1.0 or later, where the issue with HTTPS/TLS certificate validation when using a proxy is fixed.