PatchSiren cyber security CVE debrief
CVE-2026-42602 open-telemetry CVE debrief
A server-side authentication bypass in the OpenTelemetry Collector Contrib Azure Authenticator Extension (azureauthextension) allows any party holding a valid Azure access token for any scope the collector's configured identity can mint to authenticate to any OpenTelemetry receiver using auth: azure_auth. Affected versions from 0.124.0 through 0.150.0 fail to validate incoming bearer tokens as JWTs. Instead, the extension's Authenticate method calls its own configured credential to obtain an access token and compares the client's token to the result with string equality. The scope for the server-side token request is taken from the client-supplied Host header, meaning an attacker can present a token minted for any Azure resource the service principal has access to (ARM, Graph, Key Vault, Storage, etc.) and authenticate by supplying a matching Host header. Tokens remain replayable for their full issued lifetime, commonly several hours for managed identity tokens. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, scoring 8.1 (HIGH). The CVE was published on 2026-05-13 and last modified on 2026-06-01.
- Vendor
- open-telemetry
- Product
- opentelemetry-collector-contrib
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-06-01
Who should care
Organizations running OpenTelemetry Collector Contrib with the Azure Authenticator Extension (azureauthextension) versions 0.124.0 through 0.150.0, particularly those exposing OpenTelemetry receivers to networks where Azure access tokens may be obtainable by unauthorized parties. Security teams monitoring for authentication bypass vulnerabilities in cloud-native observability infrastructure, and Azure administrators responsible for managed identity and service principal scope governance.
Technical summary
The azureauthextension in OpenTelemetry Collector Contrib versions 0.124.0 to 0.150.0 contains a critical authentication bypass. The extension's Authenticate method does not perform JWT validation on incoming bearer tokens. It instead requests a new access token using its own configured credentials, using the client-supplied Host header to determine the token scope, then compares the client's token to this freshly minted token using string equality. An attacker with any valid Azure access token for any resource the collector's identity can access can replay that token against the collector by providing a matching Host header. The attack requires network access to the receiver and a valid token (low privilege bar), has no user interaction requirement, and results in complete authentication bypass with integrity and availability impact. Tokens are valid for their full lifetime, typically hours.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade azureauthextension to a fixed version beyond 0.150.0 as indicated in the vendor security advisory.
- Review OpenTelemetry receiver configurations using auth: azure_auth and verify that only the intended Azure resources are in scope for the configured identity.
- Audit Azure AD sign-in logs and token issuance records for any anomalous token requests or usage patterns that may indicate exploitation.
- Implement network-level controls to restrict access to OpenTelemetry receivers to authorized hosts where architecture permits.
- Monitor for unexpected Host header values in requests to receivers using azure_auth authentication.
- Review and reduce the scopes and Azure resource permissions granted to the service principal or managed identity used by the collector to the minimum required.
Evidence notes
The NVD record lists CPE criteria for opentelemetry:opentelemetry_collector_contrib for Go, with vulnerable versions from 0.124.0 through 0.150.0 inclusive. The GitHub Security Advisory is cited as the primary reference with tags indicating it contains exploit information, mitigation steps, and vendor advisory content. Weaknesses enumerated include CWE-208 (Observable Timing Discrepancy), CWE-287 (Improper Authentication), CWE-290 (Authentication Bypass by Spoofing), CWE-294 (Authentication Bypass by Capture-replay), and CWE-347 (Improper Verification of Cryptographic Signature).
Official resources
-
CVE-2026-42602 CVE record
CVE.org
-
CVE-2026-42602 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
The vulnerability was disclosed via GitHub Security Advisory GHSA-pjv4-3c63-699f, which is tagged as containing exploit details, mitigation guidance, and vendor advisory information.