Description
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Published: 2026-05-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Azure AD remote‑write OAuth configuration field `client_secret` being stored as a plain string. Because Prometheus only redacts values of type Secret in the /-/config API, the secret is returned in cleartext to anyone who can access the endpoint. This exposure permits an attacker to obtain the OAuth client credential, which could be used to authenticate to Prometheus services and gain unauthorized access to sensitive monitoring data or modify metric streams.

Affected Systems

Prometheus versions prior to 3.5.3 and 3.11.3 are affected. The issue was fixed in releases 3.5.3 and 3.11.3, and any later version should be considered secure.

Risk and Exploitability

The CVSS score of 7.5 indicates a significant impact. The EPSS score of 0.0001 (less than 1%) shows a very low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog, suggesting it has not yet been widely exploited. Attackers can exploit the flaw by accessing the internal /-/config endpoint; if the endpoint is exposed to the network or accessible to local processes, the secret can be read and subsequently used to impersonate Prometheus and compromise the confidentiality of monitoring data.

Generated by OpenCVE AI on May 26, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prometheus to version 3.5.3 or newer (including 3.11.3 and later releases) to correct the configuration type and enable secret redaction.
  • Restrict access to the internal /-/config endpoint so that only trusted users or systems can query it, preventing unauthorized disclosure of the client secret.
  • Review existing Azure AD remote‑write OAuth configurations after patching to confirm that the client_secret field is now stored as a Secret and is no longer visible in the config API.

Generated by OpenCVE AI on May 26, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wg65-39gg-5wfj Prometheus Azure AD remote write OAuth client secret exposed via config API
History

Tue, 26 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-256
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*

Mon, 04 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Prometheus
Prometheus prometheus
Vendors & Products Prometheus
Prometheus prometheus

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Title Prometheus Azure AD remote write OAuth client secret exposed via config API
Weaknesses CWE-200
CWE-312
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Prometheus Prometheus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T19:55:09.255Z

Reserved: 2026-04-24T17:15:21.835Z

Link: CVE-2026-42151

cve-icon Vulnrichment

Updated: 2026-05-04T19:54:59.725Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T19:16:04.220

Modified: 2026-05-11T17:22:07.227

Link: CVE-2026-42151

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-04T18:12:16Z

Links: CVE-2026-42151 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T14:00:06Z

Weaknesses