CVE-2026-42151
Published: 04 May 2026
Description
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type…
more
Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
A data action map identifies locations where sensitive information may be exposed to unauthorized actors during processing or transfer.
The media protection policy defines requirements and procedures to prevent unauthorized disclosure or access to sensitive information on media.
Encrypting or otherwise protecting data at rest directly prevents unauthorized actors from reading sensitive information stored on disk or other media.
Directly prevents exposure of critical organizational information by applying OPSEC processes across the SDLC.
Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.
Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.
Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.
By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.
Security SummaryAI
CVE-2026-42151 affects Prometheus, an open-source monitoring system and time series database, in versions prior to 3.5.3 and 3.11.3. The vulnerability stems from the client_secret field in the Azure AD remote write OAuth configuration (under storage/remote/azuread) being typed as a plain string rather than a Secret. Prometheus normally redacts Secret-typed fields when exposing the configuration via the /-/config HTTP API endpoint, but this misconfiguration results in the Azure OAuth client secret being disclosed in plaintext.
Any unauthenticated user or process with network access to the Prometheus instance can exploit this by querying the /-/config endpoint, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation allows attackers to retrieve the plaintext client secret, potentially enabling unauthorized access to Azure AD-integrated services configured for remote write operations. The issue maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-312 (Cleartext Storage of Sensitive Information).
Prometheus has addressed this in versions 3.5.3 and 3.11.3, where the field type was corrected to Secret to enable redaction. Security practitioners should upgrade to these patched releases, as detailed in the GitHub security advisory (GHSA-wg65-39gg-5wfj) and corresponding release notes. Related pull requests #18587 and #18590 document the fix implementation.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated network access to the /-/config endpoint directly enables T1190 (Exploit Public-Facing Application). The resulting plaintext disclosure of the Azure AD client_secret enables T1552 (Unsecured Credentials) and T1602 (Data from Configuration Repository) because the field was not typed as a Secret and therefore not redacted.