CVE-2026-42151: Prometheus Azure AD remote write OAuth client secret exposed via config API
Users who use Azure AD remote write with OAuth authentication are impacted.
The client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint.
References
- github.com/advisories/GHSA-wg65-39gg-5wfj
- github.com/prometheus/prometheus/pull/18587
- github.com/prometheus/prometheus/pull/18590
- github.com/prometheus/prometheus/releases/tag/v3.11.3
- github.com/prometheus/prometheus/releases/tag/v3.5.3
- github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj
- nvd.nist.gov/vuln/detail/CVE-2026-42151
Code Behaviors & Features
Detect and mitigate CVE-2026-42151 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →