PatchSiren cyber security CVE debrief
CVE-2026-44213 open-telemetry CVE debrief
CVE-2026-44213 is a MEDIUM severity (CVSS 6.5) vulnerability in the OpenTelemetry.Exporter.Instana NuGet package affecting versions prior to 1.1.0. The package fails to validate HTTPS/TLS certificates when sending telemetry to an Instana backend through a proxy configured via the INSTANA_ENDPOINT_PROXY environment variable. This certificate validation bypass creates a Man-in-the-Middle (MitM) exposure: if a network attacker can intercept the proxy connection, they can capture all OpenTelemetry telemetry data and the Instana API key in plaintext. The vulnerability is classified under CWE-295 (Improper Certificate Validation). A fix was released in version 1.1.0. Organizations using this package with proxy configurations should prioritize upgrading to the patched version to prevent potential data exfiltration and credential compromise.
- Vendor
- open-telemetry
- Product
- opentelemetry-dotnet-contrib
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Organizations using OpenTelemetry.Exporter.Instana in .NET applications, particularly those operating behind corporate proxies or in environments where INSTANA_ENDPOINT_PROXY is configured. DevOps teams, SREs, and security engineers responsible for observability pipeline security should prioritize this patch.
Technical summary
The OpenTelemetry.Exporter.Instana package (versions < 1.1.0) does not perform TLS certificate validation when the INSTANA_ENDPOINT_PROXY environment variable is configured. This allows network-based attackers positioned between the application and proxy to intercept HTTPS connections without detection, exposing telemetry payloads and authentication credentials. The vulnerability requires the attacker to achieve network positioning (e.g., ARP spoofing, DNS hijacking, or compromised proxy infrastructure) but has high impact on confidentiality and integrity of telemetry data. The fix in 1.1.0 restores proper certificate chain validation for proxied connections.
Defensive priority
medium
Recommended defensive actions
- Upgrade OpenTelemetry.Exporter.Instana NuGet package to version 1.1.0 or later
- Audit applications for use of INSTANA_ENDPOINT_PROXY environment variable
- Review network configurations for proxy usage with Instana telemetry export
- Verify TLS certificate validation is functioning after upgrade
- Rotate Instana API keys if compromise is suspected
- Monitor for anomalous proxy connections or telemetry data exfiltration
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-wfr5-454p-mjc2. CVSS 3.1 vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. Fix version 1.1.0 explicitly mentioned in advisory.
Official resources
-
CVE-2026-44213 CVE record
CVE.org
-
CVE-2026-44213 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26