EXECUTIVE SUMMARY:
CVE-2026-47701 with a CVSS score of 7.7 is a privilege escalation and information disclosure flaw in the OpenTelemetry Operator for Kubernetes (go/github.com/open-telemetry/opentelemetry-operator) affecting all versions prior to 0.152.0. The operator’s TargetAllocator component watches ServiceMonitor CRDs and forwards the `bearerTokenFile` field into the Prometheus scrape configuration; at scrape time the OpenTelemetry Collector pod reads the referenced file from its own filesystem and uses its contents as a Bearer token when contacting the target endpoint. An attacker who can create or modify a ServiceMonitor that matches the collector’s `serviceMonitorSelector` can set `bearerTokenFile` to a path such as `/var/run/secrets/kubernetes.io/serviceaccount/token` and point the endpoint to a server they control, causing the collector to transmit its service‑account JWT on each scrape. This effectively grants the attacker the collector pod’s service‑account identity, which typically has broad read permissions across pods, nodes, endpoints, namespaces, and services, enabling enumeration of cluster resources or further lateral movement. Exploitation requires the collector to be deployed with targetAllocator.prometheusCR.enabled=true, the attacker’s ServiceMonitor to be accepted by the selector, and network reachability to the attacker‑controlled scrape target. The vulnerability can also be leveraged to read any file accessible to the collector pod, amplifying the risk of credential leakage and unauthorized data access.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-47701 with a CVSS score of 7.7 is a privilege escalation and information disclosure flaw in the OpenTelemetry Operator for Kubernetes (go/github.com/open-telemetry/opentelemetry-operator) affecting all versions prior to 0.152.0. The operator’s TargetAllocator component watches ServiceMonitor CRDs and forwards the `bearerTokenFile` field into the Prometheus scrape configuration; at scrape time the OpenTelemetry Collector pod reads the referenced file from its own filesystem and uses its contents as a Bearer token when contacting the target endpoint. An attacker who can create or modify a ServiceMonitor that matches the collector’s `serviceMonitorSelector` can set `bearerTokenFile` to a path such as `/var/run/secrets/kubernetes.io/serviceaccount/token` and point the endpoint to a server they control, causing the collector to transmit its service‑account JWT on each scrape. This effectively grants the attacker the collector pod’s service‑account identity, which typically has broad read permissions across pods, nodes, endpoints, namespaces, and services, enabling enumeration of cluster resources or further lateral movement. Exploitation requires the collector to be deployed with targetAllocator.prometheusCR.enabled=true, the attacker’s ServiceMonitor to be accepted by the selector, and network reachability to the attacker‑controlled scrape target. The vulnerability can also be leveraged to read any file accessible to the collector pod, amplifying the risk of credential leakage and unauthorized data access.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-cxh2-4639-vmc5