OpenTelemetry Operator CVE-2026-47701
HIGH
GHSA-cxh2-4639-vmc5
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Affected
Repository: github.com/open-telemetry/opentelemetry-operator Component: cmd/otel-allocator (TargetAllocator) Companion: Prometheus Operator API types (CRDs)
Summary
OpenTelemetry Operator's TargetAllocator watches ServiceMonitor resources via the Prometheus Operator CR watcher and converts each selected endpoint into a Prometheus scrape configuration entry. The endpoint field bearerTokenFile is preserved through the conversion as HTTPClientConfig.Authorization.CredentialsFile. The OpenTelemetry Collector, configured with the Prometheus receiver, then loads that scrape config and, at scrape time, reads the file from its own pod filesystem and sends the contents as Authorization: Bearer ... to the scrape endpoint.
A tenant who can create or update a ServiceMonitor selected by TargetAllocator can set bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token and a scrape target the tenant controls. The Collector then ships its mounted service account JWT to that target on every scrape interval.
The Prometheus Operator project addressed the same primitive via the ArbitraryFSAccessThroughSMs.Deny admission/runtime guard.
Preconditions
The OpenTelemetry Collector needs to be deployed with targetAllocator.prometheusCR.enabled: true and serviceMonitorSelector / serviceMonitorNamespaceSelector matching at least one namespace where the attacker can create or update ServiceMonitor (or paired with a TargetAllocator resource with the same respective settings). The Collector pod needs to have its service account token mounted. The Collector needs to be able to reach the scrape target chosen by the attacker.
Impact
Tenant ServiceMonitor write becomes equivalent to the OpenTelemetry Collector pod's service account against the Kubernetes API. Real impact depends on what the Collector service account is granted in a given deployment. Typical cluster monitoring setups grant pod, node, endpoint, namespace, and service list across the cluster, which is enough to enumerate and identify further targets. The same primitive can read any file the Collector pod has on disk including mounted certificates and other tokens.
Fix
https://github.com/open-telemetry/opentelemetry-operator/pull/5104 adds support to disable service and podmonitor endpoints that read arbitrary files. DenyFSAccessThroughSMs causes the Target Allocator to drop ServiceMonitor and PodMonitor endpoints that reference arbitrary files on the file system. When enabled, endpoints with bearerTokenFile, tlsConfig.caFile, tlsConfig.certFile, or tlsConfig.keyFile are dropped from the produced scrape configuration while the remaining endpoints are kept. This prevents tenants from stealing the Collector's service account token via ServiceMonitor bearerTokenFile references. This is the equivalent of ArbitraryFSAccessThroughSMs.Deny from the Prometheus Operator.
Articles & Coverage 1
AnalysisAI
Service account token disclosure in OpenTelemetry Operator's TargetAllocator (versions prior to 0.152.0) allows a tenant with ServiceMonitor write permissions in a watched namespace to exfiltrate the OpenTelemetry Collector pod's mounted Kubernetes service account JWT or any other file on the Collector's filesystem. By setting the bearerTokenFile field on a ServiceMonitor to an arbitrary path (such as /var/run/secrets/kubernetes.io/serviceaccount/token) and pointing the scrape target to an attacker-controlled endpoint, the Collector reads the file and ships its contents as an Authorization: Bearer header on every scrape interval. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the OpenTelemetry Operator to be deployed with targetAllocator.prometheusCR.enabled: true and a serviceMonitorSelector or serviceMonitorNamespaceSelector that matches at least one namespace in which the attacker holds Kubernetes RBAC permission to create or update a ServiceMonitor (or PodMonitor) resource - equivalently, a TargetAllocator CR with matching selectors. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) accurately captures the risk profile: network-reachable, low complexity, requires low privileges (tenant ServiceMonitor write in a watched namespace), no user interaction, and scope-changed confidentiality impact reflecting that compromise of one tenant's permissions yields the Collector's cluster-wide service account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer with namespace-scoped Kubernetes credentials in a multi-tenant cluster running the OpenTelemetry Operator creates a ServiceMonitor with bearerTokenFile set to /var/run/secrets/kubernetes.io/serviceaccount/token and an endpoint pointing at an HTTPS listener they control on the cluster network. Within one scrape interval the OpenTelemetry Collector pod reads its own mounted service account JWT and transmits it as an Authorization: Bearer header to the attacker, who then replays the token against the Kubernetes API to enumerate pods, nodes, secrets, or other resources granted to the Collector ServiceAccount. … |
| Remediation | Vendor-released patch: upgrade the OpenTelemetry Operator to version 0.152.0 or later, which introduces the DenyFSAccessThroughSMs field on both v1alpha1 OpenTelemetryCollector and v1beta1 TargetAllocator CRDs (see https://github.com/open-telemetry/opentelemetry-operator/pull/5104) - set targetAllocator.prometheusCR.denyFSAccessThroughSMs: true (mirroring Prometheus Operator's ArbitraryFSAccessThroughSMs.Deny) so the TargetAllocator drops any ServiceMonitor or PodMonitor endpoint referencing bearerTokenFile, tlsConfig.caFile, tlsConfig.certFile, or tlsConfig.keyFile while preserving the remaining endpoints. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all OpenTelemetry Operator deployments and document current versions running in production. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Fu
Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RB
Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environ
Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with En
Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an auth
Share
External POC / Exploit Code
Leaving vuln.today