PatchSiren cyber security CVE debrief
CVE-2026-42151 prometheus CVE debrief
CVE-2026-42151 is a high-severity vulnerability in Prometheus, an open-source monitoring system. The issue arises from the client_secret field in the Azure AD remote write OAuth configuration being typed as a string instead of a Secret. This causes the Azure OAuth client secret to be exposed in plaintext via the /-/config HTTP API endpoint. The vulnerability affects Prometheus versions prior to 3.5.3 and 3.11.3. It has been patched in these versions. Users should update to the latest version to prevent exposure of sensitive information.
- Vendor
- prometheus
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-04
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-05-04
- Advisory updated
- 2026-06-30
Who should care
Users of Prometheus who utilize Azure AD remote write OAuth configuration should be aware of this vulnerability. Immediate attention is required for those with exposure to the /-/config HTTP API endpoint, as an attacker could exploit this to gain access to sensitive client secrets.
Technical summary
The client_secret field in the Azure AD remote write OAuth configuration of Prometheus was incorrectly typed as a string instead of a Secret. This resulted in the Azure OAuth client secret being exposed in plaintext when accessed through the /-/config HTTP API endpoint. The issue has been resolved in Prometheus versions 3.5.3 and 3.11.3 by correcting the typing of the client_secret field to Secret, which ensures that the field is properly redacted when the configuration is served via the API endpoint.
Defensive priority
High priority should be given to updating Prometheus to versions 3.5.3 or 3.11.3. In the meantime, restrict access to the /-/config HTTP API endpoint to minimize exposure.
Recommended defensive actions
- Update Prometheus to version 3.5.3 or 3.11.3.
- Restrict access to the /-/config HTTP API endpoint.
- Review and rotate any exposed client secrets.
- Monitor for any unauthorized access to the /-/config endpoint.
- Implement additional security measures to protect sensitive information.
Evidence notes
The CVE record and NVD detail provide official information on the vulnerability. The source item URL provides additional context from the NVD database. References from GitHub and Red Hat offer mitigation and patch information.
Official resources
-
CVE-2026-42151 CVE record
CVE.org
-
CVE-2026-42151 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.