GHSA-pjv4-3c63-699f: opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
highvulnerability
security
Summary
The Azure authentication extension in OpenTelemetry Collector has a critical flaw where it compares bearer tokens (credentials that prove you are who you claim to be) as plain text strings instead of validating them as JWTs (JSON Web Tokens, a standard secure token format). This allows attackers who obtain a valid Azure token to reuse it indefinitely by setting the correct Host header, bypassing authentication entirely.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
May 6, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Taxonomy References
MITRE ATLAS (AI/ML Threat Technique)
Affected Vendors
Affected Packages
github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension@>= 0.124.0, <= 0.150.0
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-pjv4-3c63-699f
First tracked: May 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%