GHSA-cxh2-4639-vmc5: OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth
Summary
OpenTelemetry Operator's TargetAllocator has a vulnerability where a tenant who can create or update a ServiceMonitor (a Kubernetes resource that tells Prometheus what to monitor) can trick the Collector into reading arbitrary files from its pod and sending them as authentication credentials to an attacker-controlled endpoint. This allows attackers to steal the Collector's service account token (a credential that proves the pod's identity to Kubernetes) and potentially access sensitive cluster information or files.
Solution / Mitigation
PR #5104 adds a `DenyFSAccessThroughSMs` feature that causes the Target Allocator to drop ServiceMonitor and PodMonitor endpoints that reference arbitrary files on the filesystem. When enabled, endpoints with `bearerTokenFile`, `tlsConfig.caFile`, `tlsConfig.certFile`, or `tlsConfig.keyFile` are dropped from the produced scrape configuration while remaining endpoints are kept.
Vulnerability Details
EPSS: 0.0%
Yes
June 10, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-cxh2-4639-vmc5
First tracked: June 10, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%