CVE-2026-42151 HIGH

CVE-2026-42151: Prometheus Azure AD remote write OAuth client secret exposed via config API

Vendor Prometheus

Product prometheus

Weakness CWE-200 · Info exposure

Published May 4, 2026

Last update June 30, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.

Key dates

02Disclosure timeline

May 4, 2026 CVE published

June 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-42151 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2026-42151

CWE CWE-200

CVSS 7.5 / HIGH

Affected versions

Vendor Prometheus

Product prometheus

Affected < 3.5.3

Vendor Prometheus

Product prometheus

Affected >= 3.6.0, < 3.11.3

CVE-2026-42151: Prometheus Azure AD remote write OAuth client secret exposed via config API

01Description

02Disclosure timeline

03References

04Related CVE