Medium severity6.5GHSA Advisory· Published May 26, 2026· Updated May 29, 2026
CVE-2026-44213
CVE-2026-44213
Description
The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANA_ENDPOINT_PROXY environment variable. If a network attacker can Man-in-the-Middle (MitM) the proxy connection, all OpenTelemetry telemetry data and the Instana API key are exposed to the attacker. This vulnerability is fixed in 1.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenTelemetry.Exporter.InstanaNuGet | < 1.1.0 | 1.1.0 |
Affected products
2- Range: <= 1.0.7
Patches
Vulnerability mechanics
References
3News mentions
1- OpenTelemetry: Five CVEs Across Go, Java, JS, and .NET SDKs Disclosed TogetherVypr Intelligence · May 28, 2026