diff --git a/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md b/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md
index 07e13a8f5fc..714fb1be31a 100644
--- a/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md
+++ b/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md
@@ -2,6 +2,13 @@
## Unreleased
+* Added direct reference to `System.Text.Encodings.Web` with minimum version of
+`4.7.2` due to [CVE-2021-26701](https://github.com/dotnet/runtime/issues/49377).
+This impacts target frameworks `netstandard2.0` and `netstandard2.1` which has a
+reference to `Microsoft.AspNetCore.Http.Abstractions` that depends on
+`System.Text.Encodings.Web` >= 4.5.0.
+([#4399](https://github.com/open-telemetry/opentelemetry-dotnet/pull/4399))
+
* Improve perf by avoiding boxing of common status codes values.
([#4360](https://github.com/open-telemetry/opentelemetry-dotnet/pull/4360),
[#4363](https://github.com/open-telemetry/opentelemetry-dotnet/pull/4363))
diff --git a/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj b/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj
index 81cde3fb4c2..741700c518c 100644
--- a/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj
+++ b/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj
@@ -21,11 +21,13 @@
+
+