PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42151 prometheus CVE debrief

CVE-2026-42151 is a high-severity vulnerability in Prometheus, an open-source monitoring system. The issue arises from the client_secret field in the Azure AD remote write OAuth configuration being typed as a string instead of a Secret. This causes the Azure OAuth client secret to be exposed in plaintext via the /-/config HTTP API endpoint. The vulnerability affects Prometheus versions prior to 3.5.3 and 3.11.3. It has been patched in these versions. Users should update to the latest version to prevent exposure of sensitive information.

Vendor
prometheus
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-04
Original CVE updated
2026-06-30
Advisory published
2026-05-04
Advisory updated
2026-06-30

Who should care

Users of Prometheus who utilize Azure AD remote write OAuth configuration should be aware of this vulnerability. Immediate attention is required for those with exposure to the /-/config HTTP API endpoint, as an attacker could exploit this to gain access to sensitive client secrets.

Technical summary

The client_secret field in the Azure AD remote write OAuth configuration of Prometheus was incorrectly typed as a string instead of a Secret. This resulted in the Azure OAuth client secret being exposed in plaintext when accessed through the /-/config HTTP API endpoint. The issue has been resolved in Prometheus versions 3.5.3 and 3.11.3 by correcting the typing of the client_secret field to Secret, which ensures that the field is properly redacted when the configuration is served via the API endpoint.

Defensive priority

High priority should be given to updating Prometheus to versions 3.5.3 or 3.11.3. In the meantime, restrict access to the /-/config HTTP API endpoint to minimize exposure.

Recommended defensive actions

  • Update Prometheus to version 3.5.3 or 3.11.3.
  • Restrict access to the /-/config HTTP API endpoint.
  • Review and rotate any exposed client secrets.
  • Monitor for any unauthorized access to the /-/config endpoint.
  • Implement additional security measures to protect sensitive information.

Evidence notes

The CVE record and NVD detail provide official information on the vulnerability. The source item URL provides additional context from the NVD database. References from GitHub and Red Hat offer mitigation and patch information.

Official resources

This article is AI-assisted and based on the supplied source corpus.