GHSA-wfr5-454p-mjc2: OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured
Summary
The OpenTelemetry.Exporter.Instana NuGet package (a tool for monitoring application performance) disables TLS certificate validation (the security check that verifies a server's identity) when a proxy is configured using the INSTANA_ENDPOINT_PROXY environment variable. This means an attacker who intercepts the network connection could read sensitive telemetry data and steal the Instana API key (a credential that grants access to monitoring systems). The vulnerability only affects systems where a proxy is configured and that proxy is either controlled by an attacker or vulnerable to interception.
Solution / Mitigation
Pull request #4153 refactors the HttpClient creation so that TLS certificate validation is no longer disabled by default when using a proxy. For environments where disabling certificate validation is necessary (such as local development), the previous behavior can be restored by configuring a custom HttpClientFactory with ServerCertificateCustomValidationCallback set to accept any certificate, as shown in the code example provided in the remediation section.
Vulnerability Details
EPSS: 0.0%
Yes
May 8, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://github.com/advisories/GHSA-wfr5-454p-mjc2
First tracked: May 8, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 72%