{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/configuration-exposure/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-42151"}],"_cs_exploited":false,"_cs_products":["prometheus/prometheus"],"_cs_severities":["high"],"_cs_tags":["credential-access","configuration-exposure","cloud"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA vulnerability exists in Prometheus versions 0.45.2 up to 3.11.3 (excluding 3.11.3) and before 3.5.3 LTS related to the handling of the Azure AD remote write OAuth client secret. The \u003ccode\u003eclient_secret\u003c/code\u003e field, intended to be a sensitive value, was incorrectly typed as a string instead of a \u003ccode\u003eSecret\u003c/code\u003e. This caused Prometheus to expose the client secret in plaintext when serving the configuration via the \u003ccode\u003e/-/config\u003c/code\u003e HTTP API endpoint. Any user or process with access to this endpoint could potentially view the exposed secret, leading to unauthorized access to Azure resources. This vulnerability was introduced to versions \u0026gt;=0.45.2 and affects versions \u0026lt; 0.311.3. The issue has been resolved in versions 3.11.3 and 3.5.3 LTS by correctly typing the \u003ccode\u003eClientSecret\u003c/code\u003e field in \u003ccode\u003eOAuthConfig\u003c/code\u003e as \u003ccode\u003eSecret\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a Prometheus instance running a vulnerable version (\u0026gt;= 0.45.2 and \u0026lt; 0.311.3).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e/-/config\u003c/code\u003e HTTP API endpoint to retrieve the Prometheus configuration.\u003c/li\u003e\n\u003cli\u003eThe API returns the configuration in plaintext format.\u003c/li\u003e\n\u003cli\u003eThe attacker inspects the configuration data.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the \u003ccode\u003eclient_secret\u003c/code\u003e field within the Azure AD remote write OAuth configuration section (\u003ccode\u003estorage/remote/azuread\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe client secret is exposed in plaintext within the configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the plaintext client secret.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised client secret to authenticate to Azure AD and potentially gain unauthorized access to Azure resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to obtain the Azure AD client secret used for remote write authentication. This compromised secret can then be used to impersonate the Prometheus instance and potentially access or modify data within the associated Azure resources. The number of affected Prometheus instances is currently unknown, but organizations utilizing Azure AD remote write with OAuth authentication are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Prometheus version 3.11.3 or 3.5.3 LTS to patch CVE-2026-42151.\u003c/li\u003e\n\u003cli\u003eFor users unable to upgrade immediately, switch to Managed Identity or Workload Identity authentication for Azure AD remote write as a workaround.\u003c/li\u003e\n\u003cli\u003eMonitor access to the \u003ccode\u003e/-/config\u003c/code\u003e HTTP API endpoint in your Prometheus instances using the provided Sigma rule to detect unauthorized attempts to retrieve the configuration.\u003c/li\u003e\n\u003cli\u003eRotate the Azure AD client secret if you suspect your Prometheus instance was compromised.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T12:00:00Z","date_published":"2026-05-06T12:00:00Z","id":"/briefs/2026-05-prometheus-oauth-secret-exposure/","summary":"The client_secret field in Prometheus' Azure AD remote write OAuth configuration was exposed in plaintext via the `/-/config` HTTP API endpoint, due to being incorrectly typed as a string, potentially allowing unauthorized access to sensitive credentials.","title":"Prometheus Azure AD Remote Write OAuth Client Secret Exposure","url":"https://feed.craftedsignal.io/briefs/2026-05-prometheus-oauth-secret-exposure/"}],"language":"en","title":"CraftedSignal Threat Feed — Configuration-Exposure","version":"https://jsonfeed.org/version/1.1"}