Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
The National Vulnerability Database has identified CVE-2026-42151, a critical flaw in Prometheus, the popular open-source monitoring and time-series database. The issue stems from the client_secret field in the Azure AD remote write OAuth configuration being incorrectly typed as a string instead of a Secret. This oversight means that Prometheus, prior to versions 3.5.3 and 3.11.3, would expose this sensitive Azure OAuth client secret in plaintext when serving its configuration via the / திரையரங்கு/config HTTP API endpoint. Any unauthorized entity with access to this endpoint could potentially exfiltrate these credentials.
This vulnerability, rated HIGH with a CVSS score of 7.5, allows for significant information disclosure. Attackers gaining access to the configuration endpoint could leverage the exposed client_secret for further malicious activities within the Azure AD environment. The National Vulnerability Database notes that this impacts any Prometheus deployment using Azure AD for remote write OAuth authentication. Defenders must prioritize upgrading their Prometheus instances to versions 3.5.3 or 3.11.3 to remediate this exposure.
What This Means For You
- If your organization uses Prometheus for monitoring and has configured Azure AD for remote write OAuth, immediately check your Prometheus version. If you are running a vulnerable version (prior to 3.5.3 or 3.11.3), audit access logs for the `/ திரையரங்கு/config` endpoint and consider revoking and reissuing your Azure AD OAuth client secret as a precautionary measure before upgrading.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Prometheus Azure AD OAuth Secret Exposed via /-/config API — CVE-2026-42151
title: Prometheus Azure AD OAuth Secret Exposed via /-/config API — CVE-2026-42151
id: scw-2026-05-04-ai-1
status: experimental
level: high
description: |
Detects access to the Prometheus /-/config endpoint which, due to a vulnerability in affected versions, exposes the Azure AD OAuth client secret in plaintext. This is the primary detection for the CVE.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42151/
tags:
- attack.credential_access
- attack.t1078.004
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/-/config'
cs-method:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42151 | Vulnerability | CVE-2026-42151 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7768: Fastify Accepts-Serializer DoS Vulnerability
CVE-2026-7768 — @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send...
CVE-2026-6321: fast-uri Path Normalization Bypass
CVE-2026-6321 — fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated...
Daily Security Digest — 2026-05-04
31 vulnerability disclosures (20 Critical, 11 High) and 12 curated intelligence stories from 6 sources.