CVE-2026-42602: CWE-208: Observable Timing Discrepancy in open-telemetry opentelemetry-collector-contrib
azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension's Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client's token to the result with string equality — and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens).
AI Analysis
Technical Summary
CVE-2026-42602 is a server-side authentication bypass vulnerability in the azureauthextension of opentelemetry-collector-contrib (versions 0.124.0 to 0.150.0). The Authenticate method fails to properly validate incoming bearer tokens as JWTs and instead compares the client's token to a token obtained from its configured credential using string equality. The scope for the server-side token request is derived from the client-supplied Host header, allowing tokens minted for any Azure resource accessible by the service principal to authenticate if the attacker matches the Host header. This results in replayable tokens being accepted for the full token lifetime, enabling unauthorized authentication to OpenTelemetry receivers using azure_auth.
Potential Impact
An attacker possessing any valid Azure access token for any scope the collector's configured identity can mint can bypass authentication to OpenTelemetry receivers using azure_auth. This can lead to unauthorized access and potentially high impact on integrity and availability of the telemetry data or services relying on the collector. The vulnerability does not affect confidentiality directly but allows impersonation and unauthorized actions within the collector's scope.
Mitigation Recommendations
A patch is available for this vulnerability. Since the affected product is a cloud service, the vendor typically manages remediation server-side. Users should verify with the vendor advisory for confirmation of patch deployment and ensure they are running a version later than 0.150.0 or have applied the official fix. Until patched, avoid relying on azureauthextension for authentication or implement additional validation controls if possible.
CVE-2026-42602: CWE-208: Observable Timing Discrepancy in open-telemetry opentelemetry-collector-contrib
Description
azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension's Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client's token to the result with string equality — and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42602 is a server-side authentication bypass vulnerability in the azureauthextension of opentelemetry-collector-contrib (versions 0.124.0 to 0.150.0). The Authenticate method fails to properly validate incoming bearer tokens as JWTs and instead compares the client's token to a token obtained from its configured credential using string equality. The scope for the server-side token request is derived from the client-supplied Host header, allowing tokens minted for any Azure resource accessible by the service principal to authenticate if the attacker matches the Host header. This results in replayable tokens being accepted for the full token lifetime, enabling unauthorized authentication to OpenTelemetry receivers using azure_auth.
Potential Impact
An attacker possessing any valid Azure access token for any scope the collector's configured identity can mint can bypass authentication to OpenTelemetry receivers using azure_auth. This can lead to unauthorized access and potentially high impact on integrity and availability of the telemetry data or services relying on the collector. The vulnerability does not affect confidentiality directly but allows impersonation and unauthorized actions within the collector's scope.
Mitigation Recommendations
A patch is available for this vulnerability. Since the affected product is a cloud service, the vendor typically manages remediation server-side. Users should verify with the vendor advisory for confirmation of patch deployment and ensure they are running a version later than 0.150.0 or have applied the official fix. Until patched, avoid relying on azureauthextension for authentication or implement additional validation controls if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-29T00:31:15.725Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a04e0c9cbff5d861008114a
Added to database: 5/13/2026, 8:36:25 PM
Last enriched: 5/13/2026, 8:51:44 PM
Last updated: 5/14/2026, 6:46:04 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.