Description
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Published: 2026-05-04
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Azure AD remote‑write OAuth configuration field `client_secret` being stored as a plain string. Because Prometheus only redacts values of type Secret in the /-/config API, the secret is returned in cleartext to anyone who can access the endpoint. This exposure permits an attacker to obtain the OAuth client credential, which could be used to authenticate to Prometheus services and gain unauthorized access to sensitive monitoring data or modify metric streams.

Affected Systems

Prometheus versions prior to 3.5.3 and 3.11.3 are affected. The issue was fixed in releases 3.5.3 and 3.11.3, and any later version should be considered secure.

Risk and Exploitability

The CVSS score of 7.5 indicates a significant impact. Although an EPSS score is not provided, the absence of the vulnerability from CISA's KEV catalog suggests it has not yet been widely exploited. Attackers can exploit the flaw by accessing the internal /-/config endpoint; if the endpoint is exposed to the network or accessible to local processes, the secret can be read and subsequently used to impersonate Prometheus and compromise the confidentiality of monitoring data.

Generated by OpenCVE AI on May 4, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prometheus to version 3.5.3 or newer (including 3.11.3 and later releases) to correct the configuration type and enable secret redaction.
  • Restrict access to the internal /-/config endpoint so that only trusted users or systems can query it, preventing unauthorized disclosure of the client secret.
  • Review existing Azure AD remote‑write OAuth configurations after patching to confirm that the client_secret field is now stored as a Secret and is no longer visible in the config API.

Generated by OpenCVE AI on May 4, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Prometheus
Prometheus prometheus
Vendors & Products Prometheus
Prometheus prometheus

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Title Prometheus Azure AD remote write OAuth client secret exposed via config API
Weaknesses CWE-200
CWE-312
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Prometheus Prometheus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T19:55:09.255Z

Reserved: 2026-04-24T17:15:21.835Z

Link: CVE-2026-42151

cve-icon Vulnrichment

Updated: 2026-05-04T19:54:59.725Z

cve-icon NVD

Status : Received

Published: 2026-05-04T19:16:04.220

Modified: 2026-05-04T19:16:04.220

Link: CVE-2026-42151

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T21:00:09Z

Weaknesses