RSS

Cortex Security Audit Results

Results of the Cortex third-party security audit targeting multi-tenant isolation and cluster operations, performed by Quarkslab and coordinated by OSTIF.

Introduction

The Cortex maintainer team is publishing the results of a third-party security audit of the Cortex codebase, completed on April 20, 2026.

Cortex is a horizontally scalable, multi-tenant, long-term storage backend for Prometheus. Multi-tenancy is enforced at the application layer via the X-Scope-OrgID header — every read and write path uses this tenant identifier to scope access to time-series data, rules, and alertmanager configurations. The integrity of this boundary is a critical security property.

Given the project’s role as the storage layer for multiple managed Prometheus offerings and large-scale self-hosted deployments, the maintainers requested a dedicated security engagement through the CNCF.

Engagement Details

  • Auditor: Quarkslab
  • Coordinator: OSTIF
  • Assessed commit: b4f5cfc37d83719040de7ca997ec125304a6b766
  • Methodology: Whitebox code review, static analysis, dynamic testing

Scope

The auditors operated from a threat model agreed upon with the maintainers prior to the engagement. The focus areas were:

  1. Tenant boundary integrity — Can a tenant read, write, or delete another tenant’s series, rules, or alertmanager state? Are there code paths where X-Scope-OrgID propagation is missing or bypassable?
  2. Cluster operations — Can an internal component (ingester, compactor, store-gateway) be induced into serving cross-tenant data? Are gossip/memberlist communications authenticated and integrity-checked?
  3. Ingestion path — Remote write, PushStream gRPC, distributor validation, ingester replication.
  4. Query path — Query frontend, querier, store-gateway block loading and filtering.
  5. Configuration and secrets exposure — Runtime config endpoints, debug endpoints.

Findings

7 vulnerabilities identified — 6 Medium, 1 Low. No Critical or High severity issues.

IDTitleRiskImpactAttack Vector
V01Tenant impersonation via PushStream gRPCMediumHigh (cross-tenant write)Authenticated tenant sending crafted gRPC stream with overridden org ID
V02Stored XSSMediumMarginalMalicious metric label values rendered in UI contexts
V03Sensitive information leakageMediumMarginal/config endpoint exposing storage credentials in plaintext
V04Unbound Gzip decompressionMediumMarginal (DoS)Crafted compressed payload causing excessive memory allocation on distributor
V05Uncontrolled memory allocation via protobuf histogramMediumMarginal (DoS)Malformed histogram sample with extreme bucket count
V06Unbounded read on gossip connectionsMediumMarginal (DoS)Oversized gossip packet causing unbounded memory read in memberlist
V07Gossip packet integrity check not enforcedLowNegligibleUnauthenticated gossip messages accepted without HMAC validation

Fix Status

All 7 findings have verified fixes merged to master and shipped in Cortex v1.21.1 (released 2026-06-04).

FindingFixPR
V01 — Tenant impersonation via PushStream gRPCReject PushStream requests where per-message TenantID diverges from authenticated caller; add HMAC-SHA256 stream auth via -distributor.sign-write-requests-keys#7475
V02 — Stored XSSReplace text/template with html/template in Alertmanager and Store Gateway status pages#7512
V03 — Sensitive information leakageMask Swift, etcd, Redis, and HTTP basic-auth credentials on /config endpoint#7473
V04 — Unbound Gzip decompressionCap decompressed body via -distributor.otlp-max-recv-msg-size in ParseProtoReader and OTLP path#7515
V05 — Uncontrolled memory allocation via protobuf histogramAdd WrappedHistogram with configurable size limit (-validation.max-native-histogram-size-bytes, default 16 KB)#7570
V06 — Unbounded read on gossip connectionsAdd -memberlist.packet-read-timeout, -memberlist.max-packet-size, -memberlist.max-concurrent-connections#7518
V07 — Gossip packet integrity check not enforcedDrop incoming TCP transport packets when digest verification fails#7474

Upgrade to v1.21.1 or later to include all security fixes.

Auditor Assessment

From the report:

“Cortex benefits from a solid engineering foundation. The project shows good code quality, extensive test coverage, and strong observability features, all of which contribute to its maintainability and resilience.”

The report also recommended:

  • Tightening default configurations (e.g., enabling gossip encryption by default)
  • Centralizing input validation at ingestion boundaries rather than relying on per-component checks
  • Establishing a dependency update cadence for indirect transitive dependencies

Operator Action Required

If you operate a multi-tenant Cortex cluster:

  1. Update to the v1.21.1 or later release. All fixes are included.
  2. Review your /config endpoint exposure. If you expose Cortex’s HTTP API without authentication, V03 may have been exploitable in your environment.
  3. Consider enabling memberlist encryption (-memberlist.encryption-enabled=true) if your gossip traffic traverses untrusted networks. V07 makes this particularly relevant.
  4. Audit PushStream gRPC access. If you expose the distributor gRPC port to tenants directly (not behind an auth gateway), V01 was exploitable prior to the fix.

Resources

Acknowledgments