Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
AnalysisAI
Prometheus monitoring system exposes Azure AD OAuth client secrets in plaintext via its /-/config HTTP API endpoint. Versions prior to 3.5.3 and 3.11.3 incorrectly type the client_secret field as a plain string instead of Prometheus's redacted Secret type, allowing remote unauthenticated attackers to retrieve sensitive Azure credentials from any exposed Prometheus instance configured for Azure AD remote write. The vulnerability has low exploitation complexity (CVSS AV:N/AC:L/PR:N) with 7.5 severity. Vendor-confirmed patches available in versions 3.5.3 and 3.11.3 (GitHub releases confirmed). EPSS data not provided; no CISA KEV listing indicating targeted exploitation campaigns at time of analysis.
Technical ContextAI
Prometheus is a widely-deployed open-source monitoring system with time series database capabilities, commonly used for Kubernetes and cloud infrastructure observability. The vulnerability lies in the storage/remote/azuread module responsible for Azure AD OAuth authentication in remote write configurations. The root cause (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) stems from using Go's native string type instead of Prometheus's config_util.Secret type from the prometheus/common/config library. The Secret type implements redaction mechanisms that automatically mask sensitive values when configuration is serialized and served via HTTP endpoints. The /-/config endpoint is a standard Prometheus API path that serves the running configuration, intended for debugging and operational visibility. Without proper Secret typing, the Azure OAuth client_secret field was serialized as plaintext JSON, exposing credentials with the same privileges as the Prometheus service's remote write identity. The affected CPE cpe:2.3:a:prometheus:prometheus indicates impact to the core Prometheus server component across vulnerable version ranges.
RemediationAI
Upgrade immediately to Prometheus version 3.5.3 (for 3.5.x users) or 3.11.3 (for 3.11.x users) as documented in vendor releases at https://github.com/prometheus/prometheus/releases. The patches implement type change from string to config_util.Secret for client_secret fields per PR #18587 and #18590. After patching, rotate all Azure AD OAuth client secrets exposed via the /-/config endpoint, as credentials should be considered compromised if the endpoint was accessible during the vulnerable period. Rotation procedure: (1) create new client secret in Azure AD app registration, (2) update Prometheus configuration with new secret, (3) restart Prometheus, (4) delete old secret in Azure portal. If immediate patching is not feasible, implement compensating controls: restrict network access to Prometheus /-/config endpoint via firewall rules or reverse proxy authentication (note: this adds operational complexity for legitimate debugging workflows), or disable Azure AD remote write temporarily and use alternative authentication methods like managed identities where supported (requires infrastructure changes). Monitor Azure AD sign-in logs for suspicious OAuth token requests using the exposed client ID during the exposure window. No workaround provides complete protection; patching is the only full remediation.
More in Prometheus
View allUnsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject
Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, whi
Memory exhaustion in Prometheus remote read endpoint allows unauthenticated attackers to crash the monitoring server via
Prometheus is an open-source monitoring system and time series database. Rated medium severity (CVSS 6.1), this vulnerab
Scraparr versions 3.0.0-beta through 3.0.1 expose Readarr API keys in plaintext through the /metrics endpoint when the R
Denial of Service in Prometheus and Kibana metricsets can be triggered by sending specially crafted malformed payloads t
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. Rated medium severity
Stored cross-site scripting in Prometheus versions 2.49.0 through 3.5.2/3.11.2 allows a low-privileged attacker who can
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools for SLE 15 | Fixed |
| SUSE Multi-Linux Manager Client Tools for SLE 15 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Proxy Module 4.3 | Fixed |
| SUSE Enterprise Storage 6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Manager Proxy Module 4.1 | Fixed |
| SUSE Manager Proxy Module 4.2 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27089
GHSA-wg65-39gg-5wfj