{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azureauthextension/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["opentelemetry-collector-contrib","azureauthextension","Entra ID","go-oidc"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","opentelemetry","azure","jwt"],"_cs_type":"advisory","_cs_vendors":["Microsoft","GitHub","OpenTelemetry"],"content_html":"\u003cp\u003eThe \u003ccode\u003eazureauthextension\u003c/code\u003e in \u003ccode\u003eopentelemetry-collector-contrib\u003c/code\u003e versions 0.124.0 through 0.150.0 contains a server-side authentication bypass. The \u003ccode\u003eAuthenticate\u003c/code\u003e method doesn\u0026rsquo;t validate incoming bearer tokens as JWTs, leading to a vulnerability where any party holding a valid Azure access token can authenticate to any OpenTelemetry receiver using \u003ccode\u003eauth: azure_auth\u003c/code\u003e. The extension compares client tokens to its own minted tokens via string equality, using the client-supplied \u003ccode\u003eHost\u003c/code\u003e header to determine the token scope. An attacker can replay tokens minted for any Azure resource the service principal has a token for, by setting the \u003ccode\u003eHost\u003c/code\u003e header, which compromises authentication. This issue was introduced in PR #39178 and is present in versions v0.124.0 through v0.150.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid Azure access token for the collector\u0026rsquo;s service principal (SP) from a co-tenant workload, compromised peer, or leaked \u003ccode\u003eAuthorization:\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP or gRPC request to an OpenTelemetry receiver configured with \u003ccode\u003eazureauthextension\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sets the \u003ccode\u003eAuthorization\u003c/code\u003e header in the request to \u0026ldquo;Bearer \u0026quot; followed by the obtained Azure access token.\u003c/li\u003e\n\u003cli\u003eIf exploiting the scope confusion variant, the attacker sets the \u003ccode\u003eHost\u003c/code\u003e header to match the Azure resource associated with the token (e.g., \u003ccode\u003evault.azure.net\u003c/code\u003e for a Key Vault token).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eazureauthextension\u003c/code\u003e\u0026rsquo;s \u003ccode\u003eAuthenticate\u003c/code\u003e method extracts the \u003ccode\u003eAuthorization\u003c/code\u003e and \u003ccode\u003eHost\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetTokenForHost\u003c/code\u003e function uses the client-supplied \u003ccode\u003eHost\u003c/code\u003e header to request a token for the corresponding scope (e.g., \u003ccode\u003ehttps://vault.azure.net/.default\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe extension performs a string comparison between the client-supplied token and the server-minted token, which succeeds because both tokens are valid for the same service principal and scope.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully bypasses authentication and ingests arbitrary telemetry data (traces, metrics, and logs) into the OpenTelemetry collector.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthenticated ingestion of arbitrary traces, metrics, and logs. This can lead to telemetry-backend poisoning, log injection (masking real attacker activity), metric manipulation to trigger or suppress alerts, cost-amplification against pay-per-datapoint backends, and adversarial traces that corrupt service-graph and incident-triage signals. Multi-workload Azure environments, deployments that forward \u003ccode\u003eAuthorization:\u003c/code\u003e headers, and multi-tenant environments are most at risk. This vulnerability affects operators of \u003ccode\u003eopentelemetry-collector-contrib\u003c/code\u003e v0.124.0 through v0.150.0 who have configured \u003ccode\u003eazureauthextension\u003c/code\u003e on a receiver\u0026rsquo;s \u003ccode\u003eauth:\u003c/code\u003e block.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAs an immediate mitigation, remove \u003ccode\u003eazure_auth\u003c/code\u003e from any receiver \u003ccode\u003eauth:\u003c/code\u003e blocks. This prevents the vulnerable authentication mechanism from being used.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenTelemetry Azure Auth Bypass Attempt\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for specific HTTP \u003ccode\u003eHost\u003c/code\u003e header values associated with Azure services.\u003c/li\u003e\n\u003cli\u003eImplement JWT validation using \u003ccode\u003eoidcauthextension\u003c/code\u003e pointed at the tenant discovery URL, with audience pinned from configuration, as described in the mitigation section.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003eopentelemetry-collector-contrib\u003c/code\u003e once available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T12:00:00Z","date_published":"2026-05-07T12:00:00Z","id":"/briefs/2026-05-otel-auth-bypass/","summary":"A server-side authentication bypass vulnerability exists in opentelemetry-collector-contrib's azureauthextension versions 0.124.0 through 0.150.0, allowing attackers with a valid Azure access token to authenticate to any OpenTelemetry receiver that uses `auth: azure_auth` due to improper JWT validation.","title":"OpenTelemetry Collector Azure Auth Extension Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-05-otel-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Azureauthextension","version":"https://jsonfeed.org/version/1.1"}