CVE-2026-42151

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Prometheus versions prior to 3.5.3 Prometheus versions prior to 3.11.3

Description The client secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was incorrectly typed as a string instead of a Secret. Consequently, when the configuration is served via the '/-/config' HTTP API endpoint, the Azure OAuth client secret is exposed in plaintext to any user or process with access to that endpoint, as Prometheus only redacts fields explicitly typed as Secret.

Recommendations Update to version 3.5.3. Update to version 3.11.3.

Fix

Information Disclosure

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-312

Related Identifiers

BIT-PROMETHEUS-2026-42151

CLEANSTART-2026-AP95632

CLEANSTART-2026-AX33738

CLEANSTART-2026-MV81821

CLEANSTART-2026-PM88731

CLEANSTART-2026-QS87161

CLEANSTART-2026-TL66481

CVE-2026-42151

GHSA-WG65-39GG-5WFJ

OPENSUSE-SU-2026:10676-1

Affected Products

Prometheus

CVE-2026-42151

Weakness Enumeration

Related Identifiers

Affected Products

References · 147