CVE-2026-42602

Name of the Vulnerable Software and Affected Versions azureauthextension versions 0.124.0 through 0.150.0

Description A server-side authentication bypass exists in the azureauthextension when used by an OpenTelemetry receiver with auth: azure auth. The Authenticate() function fails to validate incoming bearer tokens as JSON Web Tokens (JWTs), which are compact, URL-safe means of representing claims to be transferred between two parties. Instead, the extension performs a simple string equality comparison between the client's token and a token obtained by the server.

Furthermore, the scope for the server-side token request is derived from the client-supplied Host header. This allows an attacker who possesses a valid Azure access token for any scope the collector's identity can mint (such as ARM, Graph, Key Vault, or Storage) to authenticate to the collector by providing a matching Host header. Tokens are replayable for their entire issued lifetime.

Recommendations For versions 0.124.0 through 0.150.0, remove azure auth from any receiver auth: blocks. As a temporary mitigation, restrict the use of the azureauthextension on receivers until a patch is available.