CVE-2026-44213 Overview
CVE-2026-44213 affects the OpenTelemetry.Exporter.Instana NuGet package, which exports telemetry data to Instana backends. Versions prior to 1.1.0 fail to validate HTTPS/TLS certificates when sending telemetry through a proxy configured via the INSTANA_ENDPOINT_PROXY environment variable. An attacker positioned to intercept the proxy connection can perform a Man-in-the-Middle (MitM) attack. This exposes all OpenTelemetry telemetry data and the Instana API key to the attacker. The vulnerability is classified as [CWE-295] Improper Certificate Validation and is fixed in version 1.1.0.
Critical Impact
Network attackers with proxy access can intercept telemetry traffic, harvest the Instana API key, and read sensitive observability data in cleartext.
Affected Products
- OpenTelemetry.Exporter.Instana NuGet package versions prior to 1.1.0
- .NET applications using the exporter with INSTANA_ENDPOINT_PROXY configured
- OpenTelemetry .NET Contrib distributions bundling the affected exporter
Discovery Timeline
- 2026-05-26 - CVE-2026-44213 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-44213
Vulnerability Analysis
The OpenTelemetry.Exporter.Instana package transmits telemetry data to an Instana backend over HTTPS. When the INSTANA_ENDPOINT_PROXY environment variable is set, the exporter routes outbound traffic through the specified proxy. The proxy-aware HTTP client path does not enforce TLS certificate validation on the upstream connection.
This allows any attacker with a network position between the proxy and the Instana endpoint, or any attacker controlling the proxy, to present a forged certificate. The exporter accepts the forged certificate and continues to transmit data. Telemetry payloads commonly include trace identifiers, span attributes, service metadata, and HTTP request details. The Instana API key used for backend authentication travels in the same flow and is exposed under interception.
Root Cause
The root cause is improper certificate validation in the proxy code path. The HTTP client used for proxied telemetry transmission does not verify that the server certificate chains to a trusted root, matches the configured hostname, or remains within its validity window. This deviates from the non-proxy code path and breaks the trust assumptions of HTTPS.
Attack Vector
Exploitation requires network adjacency to the proxy connection or control of the proxy host. The attacker presents a self-signed or attacker-controlled certificate during the TLS handshake. The exporter accepts the certificate without validation and establishes the session. The attacker then decrypts, inspects, and optionally modifies telemetry data, including the Instana API key transmitted in request headers.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-wfr5-454p-mjc2 for vendor technical details.
Detection Methods for CVE-2026-44213
Indicators of Compromise
- Outbound TLS sessions from .NET application hosts to proxy endpoints presenting self-signed or untrusted certificates
- Unexpected proxy configurations in environment variables, specifically INSTANA_ENDPOINT_PROXY
- Instana API key usage from unexpected source IP addresses or geographies
- Anomalous telemetry ingestion patterns or gaps in Instana backend data
Detection Strategies
- Inventory all .NET services using OpenTelemetry.Exporter.Instana and identify versions below 1.1.0
- Audit environment variables across deployment manifests, container images, and orchestration configurations for INSTANA_ENDPOINT_PROXY
- Inspect outbound TLS traffic from instrumented applications and validate the certificate chain presented by the proxy upstream
- Correlate Instana API key usage against approved source identities and alert on deviations
Monitoring Recommendations
- Log and review certificate fingerprints observed on outbound telemetry connections
- Monitor package manifests (packages.config, *.csproj, packages.lock.json) in CI/CD for vulnerable versions
- Alert on creation or modification of the INSTANA_ENDPOINT_PROXY environment variable in production workloads
- Track Instana API key rotation events and authentication failures from previously valid keys
How to Mitigate CVE-2026-44213
Immediate Actions Required
- Upgrade OpenTelemetry.Exporter.Instana to version 1.1.0 or later across all .NET projects
- Rotate Instana API keys for any environment where the vulnerable version ran with a proxy configured
- Audit recent telemetry traffic for evidence of interception or anomalous routing
- Restrict outbound telemetry traffic to known-good proxies through firewall egress rules
Patch Information
The maintainers fixed this issue in OpenTelemetry.Exporter.Instana version 1.1.0. Update the NuGet reference and rebuild affected applications. Refer to the OpenTelemetry .NET Contrib Security Advisory for release notes and remediation guidance.
Workarounds
- Remove the INSTANA_ENDPOINT_PROXY environment variable and route telemetry directly to the Instana backend when network policy permits
- Terminate the proxy connection on a trusted host within the same security boundary as the application
- Enforce mutual TLS or a private trusted certificate authority between the application and the proxy until the package upgrade is complete
- Apply network segmentation to prevent untrusted hosts from reaching the proxy path
# Update the vulnerable package to the fixed version
dotnet add package OpenTelemetry.Exporter.Instana --version 1.1.0
# Verify the resolved version
dotnet list package | grep -i instana
# Remove the proxy variable as a temporary workaround if upgrade is delayed
unset INSTANA_ENDPOINT_PROXY
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
