The azureauthextension component of the OpenTelemetry Collector Contrib package implements Azure authentication but fails to validate incoming bearer tokens as JSON Web Tokens (JWTs). Instead, it obtains a fresh access token using its own configured service principal and compares the client‑supplied token string for equality. The scope for the server‑side token request is derived from the Host header supplied by the client. Consequently, any party that holds a valid Azure access token for any scope the collector’s identity can mint—for example, ARM, Graph, Key Vault, or Storage—can replay that token to authenticate to any OTel receiver that uses the azure_auth mechanism. A matching Host header allows the token to be accepted, granting unauthorized access for the full lifetime of the token (often hours). This bypass allows attackers to act as the collector, potentially injecting telemetry or accessing protected data, and can be performed remotely over the network. The vulnerability demonstrates an Authentication Bypass weakness (CWE‑287) and a potential Replay Attack (CWE‑208). Because the attacker only needs a valid Azure token that is typically long‑lived and can be obtained via standard Azure AD flows, the practical impact is significant. The fix requires that the azureauthextension component validate the token’s signature and claims rather than relying on string comparison. Until a patch is available, mitigation measures such as restricting network exposure or disabling azure_auth providers are advised.

This issue affects the Azure Authenticator Extension (azureauthextension) within the OpenTelemetry Collector Contrib collection. Vulnerable versions are 0.124.0 through 0.150.0 inclusive. The affected component is used in deployments that rely on Azure AD authentication for OpenTelemetry receivers, such as on Azure-hosted services or custom telemetry collectors.

The CVSS score of 8.1 indicates a high severity threat that allows remote attackers to bypass authentication. No EPSS score is reported, but the lack of an EPSS score does not imply low likelihood; any user who can obtain a valid Azure access token can exploit the flaw, and the tokens are replayable for several hours. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, which suggests that public exploits may not yet exist but the risk remains high. Attackers can exploit the flaw via ordinary HTTP(S) requests to the collector, provided they can supply the appropriate bearer token and Host header.