Prometheus Azure AD remote write OAuth client secret exposed via...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.

Basic Information

ID CVE-2026-42151

Source GitHub_M

Published May 4, 2026 at 18:12

Affected Product

Vendor prometheus

Product prometheus

Version < 3.5.3

Affected Versions prometheus prometheus < 3.5.3
prometheus prometheus >= 3.6.0, < 3.11.3

CWE Classification

CWE-200 CWE-312

References

{
    "lastseen": "",
    "description": "Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.",
    "published": "2026-05-04T18:12:16.917Z",
    "modified": "2026-05-04T18:12:16.917Z",
    "type": "cve",
    "title": "Prometheus Azure AD remote write OAuth client secret exposed via config API",
    "source": "GitHub_M",
    "references": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj\nhttps://github.com/prometheus/prometheus/pull/18587\nhttps://github.com/prometheus/prometheus/pull/18590\nhttps://github.com/prometheus/prometheus/releases/tag/v3.11.3\nhttps://github.com/prometheus/prometheus/releases/tag/v3.5.3",
    "id": "CVE-2026-42151",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200",
        "CWE-312"
    ],
    "cvelist": null,
    "sourceData": "prometheus prometheus < 3.5.3\nprometheus prometheus >= 3.6.0, < 3.11.3",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "prometheus",
    "version": "< 3.5.3",
    "vendor": "prometheus",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Prometheus Azure AD remote write OAuth client secret exposed via config API_CVE-2026-42151