CVE-2026-42151: Prometheus Information Disclosure Flaw

CVE-2026-42151 Overview

CVE-2026-42151 is an information disclosure vulnerability in Prometheus, the open-source monitoring system and time series database. The flaw exists in the Azure Active Directory (Azure AD) remote write OAuth configuration handler at storage/remote/azuread. The client_secret field was typed as string instead of Secret, causing Prometheus to skip its standard redaction logic when serving configuration through the /-/config HTTP API endpoint. Any user or process with access to that endpoint could read the Azure OAuth client secret in plaintext. The issue is fixed in Prometheus versions 3.5.3 and 3.11.3.

Critical Impact

Attackers with access to the Prometheus configuration endpoint can retrieve Azure AD OAuth client secrets in cleartext, enabling impersonation of the Prometheus remote write identity against Azure resources.

Affected Products

• Prometheus versions prior to 3.5.3 (3.5.x branch)
• Prometheus versions prior to 3.11.3 (3.11.x branch)
• Prometheus deployments using Azure AD OAuth for remote write storage

Discovery Timeline

• 2026-05-04 - CVE-2026-42151 published to NVD
• 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-42151

Vulnerability Analysis

Prometheus supports remote write to long-term storage backends, including Azure-hosted services authenticated via Azure AD OAuth. Operators configure a client_id and client_secret in the Prometheus YAML configuration file. Prometheus uses a Go type named Secret for sensitive fields, and its serializer replaces values of that type with <secret> when the configuration is rendered through the /-/config API endpoint.

In the affected versions, the client_secret field inside the Azure AD remote write OAuth struct was declared as a plain Go string. The redaction logic only triggers on the Secret type, so the field bypassed sanitization. As a result, the full plaintext OAuth client secret was returned to anyone able to query /-/config. This vulnerability is classified as Information Exposure under [CWE-200].

Root Cause

The root cause is an incorrect type declaration in the OAuth configuration struct under storage/remote/azuread. Using a primitive string type instead of the config.Secret wrapper disables the type-driven redaction performed by the Prometheus configuration serializer. The fix, delivered in GitHub Pull Request #18587 and GitHub Pull Request #18590, retypes the field to Secret so the existing redaction path applies.

Attack Vector

The vulnerability is exploitable over the network without authentication when the Prometheus HTTP API is reachable to the attacker. An attacker issues an HTTP GET to /-/config and parses the YAML response. The returned configuration contains the Azure AD client_secret in cleartext under the remote write OAuth section. The attacker then uses the credential to obtain Azure AD access tokens for the application registration tied to that secret, gaining the privileges granted to the Prometheus remote write identity.

No verified public exploit code is referenced in the advisory. Refer to GitHub Security Advisory GHSA-wg65-39gg-5wfj for vendor details.

Detection Methods for CVE-2026-42151

Indicators of Compromise

• HTTP GET requests to the /-/config endpoint of Prometheus servers from unexpected source addresses or user agents.
• Azure AD sign-in logs showing token requests for the Prometheus application registration from IP addresses outside the Prometheus host range.
• Configuration responses from /-/config that include a non-redacted client_secret value under azuread.oauth, confirming an unpatched instance.

Detection Strategies

• Audit running Prometheus binaries and container images for versions older than 3.5.3 or 3.11.3 across the fleet.
• Query /-/config on each instance and grep for client_secret: followed by any value other than <secret>.
• Correlate web access logs for /-/config requests with identity provider logs for Azure AD application token issuance.

Monitoring Recommendations

• Forward Prometheus access logs and Azure AD sign-in logs to a centralized SIEM or data lake for cross-source correlation.
• Alert on any unauthenticated access to Prometheus management endpoints, including /-/config, /-/reload, and /api/v1/status/config.
• Track Azure AD application secret usage patterns and alert on token requests from new geographies or autonomous systems.

How to Mitigate CVE-2026-42151

Immediate Actions Required

• Upgrade Prometheus to version 3.5.3 or 3.11.3 as published in GitHub Release v3.5.3 and GitHub Release v3.11.3.
• Rotate the Azure AD application client secret used by Prometheus remote write, since prior values must be considered compromised on any exposed instance.
• Restrict network access to Prometheus HTTP endpoints to trusted operator subnets and authenticated reverse proxies.
• Review Azure AD audit logs for unexpected token issuance against the Prometheus application registration.

Patch Information

The Prometheus maintainers fixed the vulnerability by retyping the client_secret field to Secret in the Azure AD OAuth configuration. The patches are merged in GitHub Pull Request #18587 and GitHub Pull Request #18590, and shipped in releases 3.5.3 and 3.11.3. Operators on older 3.x branches should upgrade to one of these fixed releases.

Workarounds

• Place Prometheus behind an authenticating reverse proxy and deny all external access to the /-/config endpoint until the upgrade is applied.
• Bind the Prometheus HTTP listener to localhost or a management-only interface using --web.listen-address.
• Disable Azure AD OAuth on remote write and switch to an alternative authentication method, such as managed identity, where feasible.

# Restrict /-/config exposure with an nginx reverse proxy fronting Prometheus
location = /-/config {
    deny all;
    return 403;
}

location / {
    auth_basic "Prometheus";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://127.0.0.1:9090;
}