CVE-2026-42151
Published: 04 May 2026
Summary
CVE-2026-42151 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Prometheus Prometheus. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-28 (Protection of Information at Rest) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-42151 affects Prometheus, an open-source monitoring system and time series database, in versions prior to 3.5.3 and 3.11.3. The vulnerability stems from the client_secret field in the Azure AD remote write OAuth configuration (under storage/remote/azuread) being typed as a plain string rather than a Secret. Prometheus normally redacts Secret-typed fields when exposing the configuration via the /-/config HTTP API endpoint, but this misconfiguration results in the Azure OAuth client secret being disclosed in plaintext.
Any unauthenticated user or process with network access to the Prometheus instance can exploit this by querying the /-/config endpoint, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation allows attackers to retrieve the plaintext client secret, potentially enabling unauthorized access to Azure AD-integrated services configured for remote write operations. The issue maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-312 (Cleartext Storage of Sensitive Information).
Prometheus has addressed this in versions 3.5.3 and 3.11.3, where the field type was corrected to Secret to enable redaction. Security practitioners should upgrade to these patched releases, as detailed in the GitHub security advisory (GHSA-wg65-39gg-5wfj) and corresponding release notes. Related pull requests #18587 and #18590 document the fix implementation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27089
Vulnerability details
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type…
more
Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated network access to the /-/config endpoint directly enables T1190 (Exploit Public-Facing Application). The resulting plaintext disclosure of the Azure AD client_secret enables T1552 (Unsecured Credentials) and T1602 (Data from Configuration Repository) because the field was not typed as a Secret and therefore not redacted.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protection of sensitive information (OAuth client secrets) at rest so that configuration data served by the /-/config endpoint cannot expose plaintext values.
Enforces access restrictions on the /-/config HTTP endpoint so that only authorized actors can retrieve configuration containing the Azure AD secret.
Mandates secure management and handling of authenticators (client_secret) to avoid storage or exposure in plaintext within application configuration.