GHSA-wg65-39gg-5wfj
Prometheus Azure AD remote write OAuth client secret exposed via config API
Details
### Impact
Users who use Azure AD remote write with OAuth authentication are impacted.
The `client_secret` field in the Azure AD remote write OAuth configuration (`storage/remote/azuread`) was typed as `string` instead of `Secret`. Prometheus redacts fields of type `Secret` when serving the configuration via the `/-/config` HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint.
### Patches
The problem has been patched by changing `ClientSecret` in `OAuthConfig` to `Secret`. Users should upgrade to 3.11.3 or 3.5.3 LTS.
### Workarounds
Users who can not upgrade can switch to Managed Identity or Workload Identity authentication for Azure AD remote write, which do not involve a client secret.
Are you affected?
Enter the version of the package you're using.
Affected packages
0.45.2 Fixed in: 0.311.3 go get github.com/prometheus/prometheus@v0.311.3 References
- https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-42151 [ADVISORY]
- https://github.com/prometheus/prometheus/pull/18587 [WEB]
- https://github.com/prometheus/prometheus/pull/18590 [WEB]
- https://github.com/prometheus/prometheus [PACKAGE]
- https://github.com/prometheus/prometheus/releases/tag/v3.11.3 [WEB]
- https://github.com/prometheus/prometheus/releases/tag/v3.5.3 [WEB]