Prometheus Azure AD remote write OAuth client secret exposed via config API
Summary
| CVE | CVE-2026-42151 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-04 19:16:04 UTC |
| Updated | 2026-07-10 12:16:51 UTC |
| Description | Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS: 0.000100000 probability, percentile 0.010590000 (date 2026-05-12)
Problem Types: CWE-200 | CWE-312 | CWE-256 | CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | CWE-312 CWE-312: Cleartext Storage of Sensitive Information | CWE-256 Plaintext Storage of a Password
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Prometheus | Prometheus | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Prometheus | Prometheus | affected < 3.5.3 | Not specified |
| CNA | Prometheus | Prometheus | affected >= 3.6.0, < 3.11.3 | Not specified |
| ADP | Red Hat | RHEM 1.0 For RHEL 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Edge Manager 1.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
| ADP | Red Hat | Red Hat Trusted Artifact Signer 1.4 | Not specified | Not specified |
| ADP | Red Hat | Custom Metric Autoscaler Operator For Red Hat Openshift | Not specified | Not specified |
| ADP | Red Hat | File Integrity Operator | Not specified | Not specified |
| ADP | Red Hat | Logging Subsystem For Red Hat OpenShift | Not specified | Not specified |
| ADP | Red Hat | Network Observability Operator | Not specified | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | Red Hat Advanced Cluster Management For Kubernetes 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 5 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Edge Manager 1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Distributed Tracing 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift GitOps | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 18.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3 | Not specified | Not specified |
| ADP | Red Hat | Multicluster Global Hub | Not specified | Not specified |
| ADP | Red Hat | OpenShift Service Mesh 2 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Service Mesh 3 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:34357 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36797 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/prometheus/prometheus/pull/18587 | [email protected] | github.com | Issue Tracking, Patch |
| access.redhat.com/errata/RHSA-2026:37272 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36651 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25504 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37267 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42151.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/prometheus/prometheus/releases/tag/v3.5.3 | [email protected] | github.com | Release Notes |
| access.redhat.com/errata/RHSA-2026:37271 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25039 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/prometheus/prometheus/pull/18590 | [email protected] | github.com | Issue Tracking, Patch |
| access.redhat.com/errata/RHSA-2026:36796 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34359 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj | [email protected] | github.com | Vendor Advisory |
| github.com/prometheus/prometheus/releases/tag/v3.11.3 | [email protected] | github.com | Release Notes |
| access.redhat.com/errata/RHSA-2026:25245 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-42151 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-04T19:02:26.983Z | Reported to Red Hat. |
| ADP | 2026-05-04T18:12:16.917Z | Made public. |
Solutions
ADP: RHSA-2026:36796: RHEM 1.0 for RHEL 9
ADP: RHSA-2026:34357: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:34359: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:36651: Red Hat Edge Manager 1.0
ADP: RHSA-2026:25039: Red Hat Hardened Images
ADP: RHSA-2026:25504: Red Hat Hardened Images
ADP: RHSA-2026:25245: Red Hat Hardened Images
ADP: RHSA-2026:36797: Red Hat Trusted Artifact Signer 1.4
ADP: RHSA-2026:37272: Red Hat Trusted Artifact Signer 1.4
ADP: RHSA-2026:37267: Red Hat Trusted Artifact Signer 1.4
ADP: RHSA-2026:37271: Red Hat Trusted Artifact Signer 1.4