{"data":{"id":"be9f053c-8691-4ca8-b1df-ef0040b48a27","title":"GHSA-wfr5-454p-mjc2: OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured","summary":"The OpenTelemetry.Exporter.Instana NuGet package (a tool for monitoring application performance) disables TLS certificate validation (the security check that verifies a server's identity) when a proxy is configured using the INSTANA_ENDPOINT_PROXY environment variable. This means an attacker who intercepts the network connection could read sensitive telemetry data and steal the Instana API key (a credential that grants access to monitoring systems). The vulnerability only affects systems where a proxy is configured and that proxy is either controlled by an attacker or vulnerable to interception.","solution":"Pull request #4153 refactors the HttpClient creation so that TLS certificate validation is no longer disabled by default when using a proxy. For environments where disabling certificate validation is necessary (such as local development), the previous behavior can be restored by configuring a custom HttpClientFactory with ServerCertificateCustomValidationCallback set to accept any certificate, as shown in the code example provided in the remediation section.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-wfr5-454p-mjc2","publishedAt":"2026-05-08T20:48:02.000Z","cveId":"CVE-2026-44213","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":["OpenTelemetry.Exporter.Instana@<= 1.0.7 (fixed: 1.1.0)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry","Instana"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-08T20:48:02.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.72,"researchCategory":null,"atlasIds":null}}