CVE
CVE-2026-42602
0field notes · 1digest CVSS 8.1
Daily digests
An attacker who holds any valid Azure access token (for ARM, Graph, Key Vault, Storage, whatever) can authenticate to your OpenTelemetry collector's receivers if they're protected by the azureauthextension. The extension never actually validates the incoming JWT. It just mints its own token using a scope pulled from the client's Host header, then does a simple string comparison. Pick the right Host value, send a token you already have, and you're in. Tokens stay valid for hours.