{"data":{"id":"0345df05-2066-451b-8c53-873800f14573","title":"GHSA-pjv4-3c63-699f: opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay","summary":"The Azure authentication extension in OpenTelemetry Collector has a critical flaw where it compares bearer tokens (credentials that prove you are who you claim to be) as plain text strings instead of validating them as JWTs (JSON Web Tokens, a standard secure token format). This allows attackers who obtain a valid Azure token to reuse it indefinitely by setting the correct Host header, bypassing authentication entirely.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-pjv4-3c63-699f","publishedAt":"2026-05-06T22:32:43.000Z","cveId":"CVE-2026-42602","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension@>= 0.124.0, <= 0.150.0"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-06T22:32:43.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}