CVE-2026-42151

🗓️ 04 May 2026 18:12:16Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 35 Views🌐 WEB

Prometheus exposed Azure Active Directory remote write client secret via config API; fixed in 3.5.3 and 3.11.3.

Reporter	Title	Published	Views	Family All 167
ATTACKERKB	CVE-2026-42151	4 May 202618:12	–	attackerkb
AlpineLinux	CVE-2026-42151	4 May 202618:12	–	alpinelinux
CBLMariner	CVE-2026-42151 affecting package telegraf for versions less than 1.31.0-22	5 Jun 202612:59	–	cbl_mariner
Chainguard	CVE-2026-42151 vulnerabilities	26 May 202613:18	–	cgr
Circl	CVE-2026-42151	4 May 202619:28	–	circl
CNNVD	Prometheus 信息泄露漏洞	4 May 202600:00	–	cnnvd
Cvelist	CVE-2026-42151 Prometheus Azure AD remote write OAuth client secret exposed via config API	4 May 202618:12	–	cvelist
Debian CVE	CVE-2026-42151	4 May 202618:12	–	debiancve
EUVD	EUVD-2026-27089	5 May 202619:33	–	euvd
Tenable Nessus	Fedora 43 : prometheus (2026-dfc0e362e6)	22 Jun 202600:00	–	nessus

NVD

Vulners

Node

prometheus prometheusRange2.48.0–3.5.3

prometheus prometheusRange3.6.0–3.11.3

[
  {
    "vendor": "prometheus",
    "product": "prometheus",
    "versions": [
      {
        "version": "< 3.5.3",
        "status": "affected"
      },
      {
        "version": ">= 3.6.0, < 3.11.3",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/prometheus/prometheus/pull/18587
github	www.github.com/prometheus/prometheus/pull/18590
github	www.github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj
github	www.github.com/prometheus/prometheus/releases/tag/v3.11.3
github	www.github.com/prometheus/prometheus/releases/tag/v3.5.3

Parameter	Position	Path	Description	CWE
storage/remote/azuread/client_secret	nested	/-/config	Azure AD OAuth client_secret exposed in plaintext via /-/config endpoint due to string-typed field; fixed in versions 3.5.3 and 3.11.3.	CWE-312, CWE-200

17 Jun 2026 10:47Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.17.5

EPSS0.00249

SSVC