CVE-2026-42151
published 2026-05-04CVE-2026-42151: Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote…
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.31%
23.1th percentile
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | prometheus_prometheus | >= 0.45.2 < 0.311.3 | 0.311.3 |
| prometheus | prometheus | < 3.5.3 | 3.5.3 |
| prometheus | prometheus | — | — |
| prometheus | prometheus | >= 2.48.0 < 3.5.3 | 3.5.3 |
| prometheus | prometheus | >= 3.6.0 < 3.11.3 | 3.11.3 |
| rust-lang | rust | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
vendor_redhat·2026-05-04·CVSS 7.5
CVE-2026-42151 [HIGH] CWE-256 github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
A flaw was found in Prometheus, an open-source monitoring system. The `client_secret` field within the Azure Active Directory (AD) remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access to the `/-/config` HTTP API endpoint to view the Azure OAuth client secret in plaintext. This vulnerability leads to information disclosure, potentially compromising the security of integrated Azure AD services.
Package: rust (Red Hat Hardened Images) - Not affected
GHSA
Prometheus Azure AD remote write OAuth client secret exposed via config API
ghsa·2026-05-05
CVE-2026-42151 [HIGH] CWE-200 Prometheus Azure AD remote write OAuth client secret exposed via config API
Prometheus Azure AD remote write OAuth client secret exposed via config API
### Impact
Users who use Azure AD remote write with OAuth authentication are impacted.
The `client_secret` field in the Azure AD remote write OAuth configuration (`storage/remote/azuread`) was typed as `string` instead of `Secret`. Prometheus redacts fields of type `Secret` when serving the configuration via the `/-/config` HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint.
### Patches
The problem has been patched by changing `ClientSecret` in `OAuthConfig` to `Secret`. Users should upgrade to 3.11.3 or 3.5.3 LTS.
### Workarounds
Users who can not upgrade can switch to Managed Identity or Workloa
VulDB
Prometheus up to 3.5.2/3.11.2 HTTP API Endpoint storage/remote/azuread client_secret information disclosure (GHSA-wg65-39gg-5wfj)
vuldb·2026-05-04·CVSS 7.5
CVE-2026-42151 [HIGH] Prometheus up to 3.5.2/3.11.2 HTTP API Endpoint storage/remote/azuread client_secret information disclosure (GHSA-wg65-39gg-5wfj)
A vulnerability identified as problematic has been detected in Prometheus up to 3.5.2/3.11.2. This issue affects the function client_secret of the file storage/remote/azuread of the component HTTP API Endpoint. The manipulation leads to information disclosure.
This vulnerability is listed as CVE-2026-42151. The attack may be initiated remotely. There is no available exploit.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-42151 tailscale: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-42151 [HIGH] CVE-2026-42151 tailscale: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
CVE-2026-42151 tailscale: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42151 netdata: Prometheus: Information disclosure of Azure OAuth client secret via config API [epel-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-42151 [HIGH] CVE-2026-42151 netdata: Prometheus: Information disclosure of Azure OAuth client secret via config API [epel-all]
CVE-2026-42151 netdata: Prometheus: Information disclosure of Azure OAuth client secret via config API [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42151 golang-github-prometheus-prom2json: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-42151 [HIGH] CVE-2026-42151 golang-github-prometheus-prom2json: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
CVE-2026-42151 golang-github-prometheus-prom2json: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42151 grafana: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-42151 [HIGH] CVE-2026-42151 grafana: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
CVE-2026-42151 grafana: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42151 prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API [epel-all]
bugzilla·2026-05-26·CVSS 7.5
CVE-2026-42151 [HIGH] CVE-2026-42151 prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API [epel-all]
CVE-2026-42151 prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42151 golang-github-prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
bugzilla·2026-05-26·CVSS 7.5
CVE-2026-42151 [HIGH] CVE-2026-42151 golang-github-prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
CVE-2026-42151 golang-github-prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42151 prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
bugzilla·2026-05-26·CVSS 7.5
CVE-2026-42151 [HIGH] CVE-2026-42151 prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
CVE-2026-42151 prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42151 github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
bugzilla·2026-05-04·CVSS 7.5
CVE-2026-42151 [HIGH] CVE-2026-42151 github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
CVE-2026-42151 github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
https://github.com/prometheus/prometheus/pull/18587https://github.com/prometheus/prometheus/pull/18590https://github.com/prometheus/prometheus/releases/tag/v3.11.3https://github.com/prometheus/prometheus/releases/tag/v3.5.3https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfjhttps://access.redhat.com/errata/RHSA-2026:25039https://access.redhat.com/errata/RHSA-2026:25245https://access.redhat.com/errata/RHSA-2026:25504https://access.redhat.com/security/cve/CVE-2026-42151https://bugzilla.redhat.com/show_bug.cgi?id=2466507https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42151.json
2026-05-04
Published