Cyber Resilience

CVE-2026-42602

HighPublic PoCUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0022 12.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42602 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Opentelemetry Opentelemetry Collector Contrib. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to…

more

any OpenTelemetry receiver that uses auth: azure_auth. The extension's Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client's token to the result with string equality — and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in publicly exposed OpenTelemetry receiver directly enables exploitation of a public-facing application via token replay and improper JWT validation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29181Same vendor: Opentelemetry
CVE-2026-41433Same vendor: Opentelemetry
CVE-2026-45680Same vendor: Opentelemetry
CVE-2026-45678Same vendor: Opentelemetry
CVE-2026-45686Same vendor: Opentelemetry
CVE-2026-45685Same vendor: Opentelemetry
CVE-2026-1568Shared CWE-287, CWE-347
CVE-2025-1104Shared CWE-287, CWE-290
CVE-2026-33175Shared CWE-287, CWE-290
CVE-2025-1044Shared CWE-287

Affected Assets

opentelemetry
opentelemetry collector contrib
0.124.0 — 0.150.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Detects unauthorized successful logons resulting from improper authentication implementations.

Requires authentication mechanisms on the wireless link, making improper authentication weaknesses harder to exploit.

addresses: CWE-287 CWE-290

Security awareness training instructs users on secure authentication practices and avoiding credential compromise.

addresses: CWE-287 CWE-290

Identity proofing requires collecting, validating, and verifying evidence to resolve claims to unique individuals, directly preventing insufficient proof of identity during account establishment.

addresses: CWE-287 CWE-290

Enforces unique device identification and authentication before any connection is established, directly mitigating improper authentication weaknesses.

addresses: CWE-287 CWE-290

Mandates unique identification and authentication of non-organizational users, directly mitigating improper authentication.

addresses: CWE-287 CWE-290

Requires unique identification and authentication of services before any communications, directly mitigating improper authentication.

addresses: CWE-290 CWE-347

Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source.

References