Server-Side Authentication Bypass in Azure Authenticator Extension
CVE-2026-42602

8.1HIGH

Key Information:

Vendor: Open-telemetry
Status: Opentelemetry-collector-contrib
Vendor: CVE Published:; 13 May 2026

🔔 Create Open-telemetry Vulnerability Alert

What is CVE-2026-42602?

The Azure Authenticator Extension has a server-side authentication bypass vulnerability that affects versions 0.124.0 to 0.150.0. This flaw allows an attacker holding a valid Azure access token to bypass authentication for any OpenTelemetry receiver configured with the azure_auth method. The vulnerability stems from the extension’s Authenticate method failing to properly validate incoming bearer tokens as JWTs. Instead of validating the token, it compares the client’s token with a token retrieved using its own credentials. Consequently, a token associated with any Azure resource can authenticate to the collector if the attacker specifies a matching Host header. This weakens the security posture of applications utilizing the extension, as tokens can be replayed throughout their lifetime, risking unauthorized access.

Affected Version(s)

opentelemetry-collector-contrib >= 0.124.0, <= 0.150.0

References

https://github.com/open-telemetry/opentelemetry-collector...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 29, 2026

CVE-2026-42602 Data

JSON