The OpenTelemetry.Exporter.Instana component fails to enforce HTTPS/TLS certificate validation when a proxy is configured through the INSTANA_ENDPOINT_PROXY environment variable, as seen in versions before 1.1.0. This flaw allows an attacker who can perform a man‑in‑the‑middle (MitM) attack on the proxy to intercept all telemetry data sent to Instana as well as the Instana API key, effectively compromising confidentiality by leaking sensitive operational data and credentials. The weakness is an instance of insecure handling of transport layer security (CWE‑295).

This issue affects the OpenTelemetry dotnet contrib package named OpenTelemetry.Exporter.Instana for all versions prior to 1.1.0. Systems that use this NuGet package to export telemetry to Instana and configure a proxy via the INSTANA_ENDPOINT_PROXY variable are susceptible, regardless of host platform or deployment environment. User deployments using any earlier package version that sends data over HTTPS through a proxy are at risk.

The CVSS score of 6.5 indicates a medium severity risk. EPSS is currently not available, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is an external network adversary who can intercept the proxy connection; no privileged local access is required. If an attacker controls the proxy or can place a malicious proxy between the application and Instana, they can capture the unencrypted telemetry payloads and API key. The lack of certificate validation is the root of the exploitation path, making the vulnerability easily exploitable when a proxy is in use.