Vulnerability Reportthanosio/thanos:main-2026-06-17-a50c989

thanosio/thanos:main-2026-06-17-a50c989

DIGESTsha256:f8935c6b538c5a4d5c159a04e72f56ab5e6821d8cc786e07f238b4bfebdebdd0

Executive Summary

Threat ScoreNEEDS ATTENTION• 2 exposed medium-severity vulnerabilities (CVSS 6.38) on exposed surface: CVE-2026-42151 and CVE-2026-42154• 24 total vulnerabilities, but only 2 with severity >=6; no high-severity issues (>=7)• 7 post-exploit only vulnerabilities found, all with severity <6, limiting lateral impact• Image is from high-reputation community publisher (75M+ pulls) and pinned by digest• CVE-2026-42151 only exploitable if Azure OAuth is configured; CVE-2026-42154 is a DoS via remote read endpoint

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (75M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The two moderate-severity vulnerabilities on the exposed surface (CVE-2026-42151 and CVE-2026-42154) could cause information disclosure of Azure OAuth secrets or denial of service, respectively. However, CVE-2026-42151 only applies if Azure OAuth is configured, and the remaining vulnerabilities are low-severity or require local access. Patching to a later version of Prometheus (≥3.5.3 or ≥3.11.3) would fully address both issues.

Vulnerabilities

Vulnerability Log

31 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42151	MEDIUM6.38	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42154	MEDIUM6.38	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3, 0.305.2	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.39.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-39821	MEDIUM5.58	golang.org/x/net v0.49.0 fixed in 0.55.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34986	MEDIUM5.1	github.com/go-jose/go-jose/v4 v4.1.3 fixed in 4.1.4	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-29181	MEDIUM5.1	go.opentelemetry.io/otel v1.39.0 fixed in 1.41.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-40179	MEDIUM4.14	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.2-0.20260410083055-07c6232d159b	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-44903	MEDIUM4.14	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39828	LOW2.69	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-39829	LOW2.29	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39830	LOW2.29	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-33814	LOW2.29	golang.org/x/net v0.49.0 fixed in 0.53.0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42508	LOW2.26	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-46595	LOW2.17	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-46598	LOW1.62	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-2303	NONE0	go.mongodb.org/mongo-driver v1.17.6 fixed in 1.17.7	0.2% Theoretical Threat	Not Applicable
CVE-2026-39882	NONE0	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0 fixed in 1.43.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-24051	NONE0	go.opentelemetry.io/otel/sdk v1.39.0 fixed in 1.40.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39827	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39835	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-46597	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39831	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39832	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39833	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39834	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.40.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable