CVE-2026-42151

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-42151

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42151.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-42151

Aliases

Downstream

CLEANSTART-2026-AP95632

CLEANSTART-2026-AX33738

CLEANSTART-2026-BX78383

CLEANSTART-2026-GZ11549

CLEANSTART-2026-MR08661

CLEANSTART-2026-MV81821

CLEANSTART-2026-NU38786

CLEANSTART-2026-PM88731

CLEANSTART-2026-QS87161

CLEANSTART-2026-TL66481

CLEANSTART-2026-UO11850

DEBIAN-CVE-2026-42151

MINI-2392-hxf2-vggj

MINI-252x-m2fr-7w55

MINI-294h-3rw8-w9gh

MINI-2gfj-gjc9-c7p7

MINI-2hm8-hcgg-r9rc

MINI-2p8f-8pf7-8p37

MINI-3gcw-3jff-w4cw

MINI-48cp-xj2q-2g8g

MINI-48v8-xphh-q272

MINI-4hg6-w99h-x9h7

MINI-4hg8-64w4-9mch

MINI-4w9h-pw2x-3rxg

MINI-55gr-vhfw-5cc9

MINI-58cx-r2j8-pw94

MINI-5fqf-mwc7-m389

MINI-5p74-whq5-qr7h

MINI-5r3f-483p-g5pm

MINI-5v55-2fpc-97x7

MINI-63f3-hc37-24m9

MINI-665f-mh77-gh9j

MINI-6cmq-4rqm-hjpf

MINI-6gf3-qfxc-x4jf

MINI-77hm-3qfc-fj3v

MINI-7893-pxc4-cw97

MINI-7f7c-7c68-j86q

MINI-7ffq-w779-4jrw

MINI-7pjx-c4j6-qgx3

MINI-82fm-v695-x375

MINI-83w6-88g7-xhmh

MINI-8cj3-78qv-66c4

MINI-8jmx-rrwj-hhjf

MINI-8m2q-5586-mvxr

MINI-8r5c-qc96-r8pw

MINI-8w4g-cv7f-62vv

MINI-8wpw-f74q-9958

MINI-964x-cc2j-24pc

MINI-96p9-w675-74r3

MINI-99fp-g339-rj8g

MINI-9h76-46hv-9gcc

MINI-9jj3-6qfx-4776

MINI-9mr2-xj38-xcqw

MINI-9p5h-267c-cqmh

MINI-c4fj-mhc2-379x

MINI-f4j5-7w5r-7gq8

MINI-f4q4-rxvp-9hw9

MINI-ffp2-3mc3-c6wr

MINI-ffrr-hc56-p3cv

MINI-fg3h-p2qw-wwfj

MINI-fgjc-72rx-fv99

MINI-fq8v-hcrw-fpfj

MINI-g2m9-m5c8-65rj

MINI-g2vr-8mxh-rf5w

MINI-g8j3-v7xp-rcvv

MINI-gc2w-5gv3-rqw3

MINI-gqw7-2cwp-p5xj

MINI-gvg5-rfhj-3669

MINI-gx79-rpch-2vf7

MINI-gxhw-r3qh-47wx

MINI-gxxh-h254-rqpc

MINI-hf47-wgm5-gxrq

MINI-hf6w-j3x4-r2x7

MINI-hg5h-j8cv-x2fw

MINI-hhqj-36hm-gv7v

MINI-hr2w-c68g-35hq

MINI-j3w9-vjgc-v5rf

MINI-j98r-8f9c-cw24

MINI-j9mm-pj2w-c59q

MINI-jmmw-jrm5-qm75

MINI-jqc8-cmpg-q4jh

MINI-jrh3-r5q6-3p8r

MINI-m86q-cpq9-pj3v

MINI-m993-r2v9-pr7x

MINI-mchp-6gj6-p8cw

MINI-mcp5-659j-pvv6

MINI-mph2-wf78-j3v9

MINI-p342-j65q-85f9

MINI-p3rh-4mjv-wj6x

MINI-p58m-x8g8-9v72

MINI-p824-99x7-h73j

MINI-p9jq-5rj5-cgp6

MINI-pf3w-xrh9-6h8p

MINI-pv8q-7r65-2h9j

MINI-pwhc-9cjh-c2c4

MINI-q23h-wc58-jjvg

MINI-q63c-7px2-39mx

MINI-qh2h-6r22-rxww

MINI-qr7q-4694-82pm

MINI-qrg9-xcw7-52cv

MINI-qx63-27jx-pp87

MINI-r28c-7837-423v

MINI-r53v-vm7w-8v42

MINI-r762-4j28-34jw

MINI-r876-xv54-pr75

MINI-r8wr-7hw7-rm53

MINI-r93g-r6m5-g2rc

MINI-rp62-m854-q25r

MINI-v3cw-8p9x-mj6g

MINI-v7hx-h4gf-j5xh

MINI-v838-xx2g-g738

MINI-v8pm-m8cm-rp38

MINI-vhch-2gf4-6qh9

MINI-vhh3-pg4q-52gx

MINI-vmmf-5h49-5mqj

MINI-vmpm-hvw5-465p

MINI-vmw5-gc2x-gf54

MINI-vwxr-6gc8-wc98

MINI-vxh3-9gc4-8gmh

MINI-w6qm-vjjp-xqj4

MINI-w8fq-m6xw-j27q

MINI-w8j2-2r32-4vw5

MINI-wrmf-2fxj-m8xm

MINI-wwvc-gg3c-2vwj

MINI-wxrw-vv45-jfp7

MINI-x758-9q2p-vqrg

MINI-xgqj-389w-p8f5

MINI-xjq3-wrjx-4p82

MINI-xmq6-m5cg-p329

MINI-xwjf-3r28-wfwp

ROOT-APP-GOBINARY-CVE-2026-42151

SUSE-SU-2026:2243-1

SUSE-SU-2026:2265-1

UBUNTU-CVE-2026-42151

openSUSE-SU-2026:10676-1

Related

Published

2026-05-04T18:12:16.917Z

Modified

2026-06-18T03:55:54.032829474Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Prometheus Azure AD remote write OAuth client secret exposed via config API

Details

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42151.json",
    "cwe_ids": [
        "CWE-200",
        "CWE-312"
    ]
}

References

Affected packages

Git / github.com/prometheus/prometheus

Affected ranges

Type

GIT

Repo

https://github.com/prometheus/prometheus

Events

Introduced

6d80b30990bc297d95b5c844e118c4011fad8054

Fixed

dcd3d551ced8b8dc14e0217f8cb14e547109cd5f

Introduced

491734606591ef8c188f5489c70380805bc868c0

Fixed

eb173f5256d4022afba1e9bc3d19740a76859fae

Database specific

{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "2.48.0"
        },
        {
            "fixed": "3.5.3"
        },
        {
            "introduced": "3.6.0"
        },
        {
            "fixed": "3.11.3"
        }
    ],
    "cpe": "cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*"
}

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42151.json"