Skip to main content

Prometheus CVE-2026-42151

| EUVDEUVD-2026-27089 HIGH
Information Exposure (CWE-200)
2026-05-04 GitHub_M GHSA-wg65-39gg-5wfj
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 04, 2026 - 20:01 EUVD
Source Code Evidence Fetched
May 04, 2026 - 19:30 vuln.today
Analysis Generated
May 04, 2026 - 19:30 vuln.today

DescriptionCVE.org

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.

AnalysisAI

Prometheus monitoring system exposes Azure AD OAuth client secrets in plaintext via its /-/config HTTP API endpoint. Versions prior to 3.5.3 and 3.11.3 incorrectly type the client_secret field as a plain string instead of Prometheus's redacted Secret type, allowing remote unauthenticated attackers to retrieve sensitive Azure credentials from any exposed Prometheus instance configured for Azure AD remote write. The vulnerability has low exploitation complexity (CVSS AV:N/AC:L/PR:N) with 7.5 severity. Vendor-confirmed patches available in versions 3.5.3 and 3.11.3 (GitHub releases confirmed). EPSS data not provided; no CISA KEV listing indicating targeted exploitation campaigns at time of analysis.

Technical ContextAI

Prometheus is a widely-deployed open-source monitoring system with time series database capabilities, commonly used for Kubernetes and cloud infrastructure observability. The vulnerability lies in the storage/remote/azuread module responsible for Azure AD OAuth authentication in remote write configurations. The root cause (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) stems from using Go's native string type instead of Prometheus's config_util.Secret type from the prometheus/common/config library. The Secret type implements redaction mechanisms that automatically mask sensitive values when configuration is serialized and served via HTTP endpoints. The /-/config endpoint is a standard Prometheus API path that serves the running configuration, intended for debugging and operational visibility. Without proper Secret typing, the Azure OAuth client_secret field was serialized as plaintext JSON, exposing credentials with the same privileges as the Prometheus service's remote write identity. The affected CPE cpe:2.3:a:prometheus:prometheus indicates impact to the core Prometheus server component across vulnerable version ranges.

RemediationAI

Upgrade immediately to Prometheus version 3.5.3 (for 3.5.x users) or 3.11.3 (for 3.11.x users) as documented in vendor releases at https://github.com/prometheus/prometheus/releases. The patches implement type change from string to config_util.Secret for client_secret fields per PR #18587 and #18590. After patching, rotate all Azure AD OAuth client secrets exposed via the /-/config endpoint, as credentials should be considered compromised if the endpoint was accessible during the vulnerable period. Rotation procedure: (1) create new client secret in Azure AD app registration, (2) update Prometheus configuration with new secret, (3) restart Prometheus, (4) delete old secret in Azure portal. If immediate patching is not feasible, implement compensating controls: restrict network access to Prometheus /-/config endpoint via firewall rules or reverse proxy authentication (note: this adds operational complexity for legitimate debugging workflows), or disable Azure AD remote write temporarily and use alternative authentication methods like managed identities where supported (requires infrastructure changes). Monitor Azure AD sign-in logs for suspicious OAuth token requests using the exposed client ID during the exposure window. No workaround provides complete protection; patching is the only full remediation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Manager Client Tools 15 Fixed

Share

CVE-2026-42151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy