Cyber Resilience

CVE-2026-42151

High

Published: 04 May 2026

Published
04 May 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0001 1.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42151 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Prometheus Prometheus. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-28 (Protection of Information at Rest) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-42151 affects Prometheus, an open-source monitoring system and time series database, in versions prior to 3.5.3 and 3.11.3. The vulnerability stems from the client_secret field in the Azure AD remote write OAuth configuration (under storage/remote/azuread) being typed as a plain string rather than a Secret. Prometheus normally redacts Secret-typed fields when exposing the configuration via the /-/config HTTP API endpoint, but this misconfiguration results in the Azure OAuth client secret being disclosed in plaintext.

Any unauthenticated user or process with network access to the Prometheus instance can exploit this by querying the /-/config endpoint, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation allows attackers to retrieve the plaintext client secret, potentially enabling unauthorized access to Azure AD-integrated services configured for remote write operations. The issue maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-312 (Cleartext Storage of Sensitive Information).

Prometheus has addressed this in versions 3.5.3 and 3.11.3, where the field type was corrected to Secret to enable redaction. Security practitioners should upgrade to these patched releases, as detailed in the GitHub security advisory (GHSA-wg65-39gg-5wfj) and corresponding release notes. Related pull requests #18587 and #18590 document the fix implementation.

EU & UK References

Vulnerability details

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type…

more

Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
T1602 Data from Configuration Repository Collection
Adversaries may collect data related to managed devices from configuration repositories.
Why these techniques?

Unauthenticated network access to the /-/config endpoint directly enables T1190 (Exploit Public-Facing Application). The resulting plaintext disclosure of the Azure AD client_secret enables T1552 (Unsecured Credentials) and T1602 (Data from Configuration Repository) because the field was not typed as a Secret and therefore not redacted.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42154Same product: Prometheus Prometheus
CVE-2026-22240Shared CWE-200, CWE-312
CVE-2025-26001Shared CWE-200
CVE-2024-48125Shared CWE-200
CVE-2026-32609Shared CWE-200
CVE-2026-27520Shared CWE-312
CVE-2025-62188Shared CWE-200
CVE-2026-25146Shared CWE-200
CVE-2025-55190Shared CWE-200
CVE-2026-34833Shared CWE-312

Affected Assets

prometheus
prometheus
2.48.0 — 3.5.3 · 3.6.0 — 3.11.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection of sensitive information (OAuth client secrets) at rest so that configuration data served by the /-/config endpoint cannot expose plaintext values.

prevent

Enforces access restrictions on the /-/config HTTP endpoint so that only authorized actors can retrieve configuration containing the Azure AD secret.

prevent

Mandates secure management and handling of authenticators (client_secret) to avoid storage or exposure in plaintext within application configuration.

References