CVE-2026-42151

NameCVE-2026-42151
DescriptionPrometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
prometheus (PTS)bullseye2.24.1+ds-1vulnerable
bookworm2.42.0+ds-5vulnerable
trixie2.53.3+ds1-2vulnerable
forky, sid2.53.5+ds1-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
prometheussource(unstable)(unfixed)

Notes

https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj
https://github.com/prometheus/prometheus/pull/18587
https://github.com/prometheus/prometheus/pull/18590
Search for package or bug name: Reporting problems