Information disclosure (sensitive header values leakage through logs/outputs)
Description
The commit adds RegisterSecretFlag for several *headers flags in vmalert components (datasource.headers, notifier.headers, remoteRead.headers, remoteWrite.headers). This hardening prevents sensitive header values from being exposed in logs or outputs when flags are dumped or printed for debugging/config purposes. Prior to this change, header flag values could be disclosed if the application logged or displayed flag values during startup or error handling, representing an information-disclosure vulnerability.
Proof of Concept
PoC steps:
1. Build the vmalert binary from a commit prior to this fix (or use an unpatched 1.139.x release).
2. Run vmalert with sensitive header flags, for example:
./vmalert \
-datasource.url=http://example.api \
-datasource.headers="Authorization: Bearer SECRET_TOKEN" \
-notifier.headers="X-Api-Key: SECRET_KEY" \
-log.level=debug
3. Trigger startup/config dump logging (the exact log path depends on configuration), and observe that the log output includes the raw header flag values, e.g.:
INFO: flags: datasource.headers=Authorization: Bearer SECRET_TOKEN, notifier.headers=X-Api-Key: SECRET_KEY
or similar lines where the header values are printed in plaintext.
4. This demonstrates information disclosure of sensitive header values via flag printing.
5. After applying this patch, those flags are registered as secret, so the logging path should redact them (e.g., datasource.headers=[REDACTED], notifier.headers=[REDACTED]).
Note: The exact text and locations of logs depend on the build and logging configuration, but the vulnerability exists if a flag-dump or startup log reveals the header values.
Commit Details
Author: f41gh7
Date: 2026-05-19 11:24 UTC
Message:
app/vmalert: hide *.headers as secret flags
follow-up for 33d8e02ea8fe4326d2e5860488920075659155e7
This commit registers vmalert `*.headers` flags as a secret flags in the
same way as vmagent does.
Triage Assessment
Vulnerability Type: Information disclosure
Confidence: HIGH
Reasoning:
The commit marks several *.headers flags as secret so their values are not exposed in logs or outputs, preventing leakage of sensitive header information. This is a security hardening to mitigate information disclosure.
Verification Assessment
Vulnerability Type: Information disclosure (sensitive header values leakage through logs/outputs)
Confidence: HIGH
Affected Versions: <= 1.139.0
Code Diff
diff --git a/app/vmalert/datasource/init.go b/app/vmalert/datasource/init.go
index bb44b7d77d673..7cccab8f97f01 100644
--- a/app/vmalert/datasource/init.go
+++ b/app/vmalert/datasource/init.go
@@ -64,6 +64,7 @@ func InitSecretFlags() {
if !*showDatasourceURL {
flagutil.RegisterSecretFlag("datasource.url")
}
+ flagutil.RegisterSecretFlag("datasource.headers")
}
// ShowDatasourceURL whether to show -datasource.url with sensitive information
diff --git a/app/vmalert/notifier/init.go b/app/vmalert/notifier/init.go
index aa30a0fabc3df..e76645c553b75 100644
--- a/app/vmalert/notifier/init.go
+++ b/app/vmalert/notifier/init.go
@@ -194,6 +194,7 @@ func InitSecretFlags() {
if !*showNotifierURL {
flagutil.RegisterSecretFlag("notifier.url")
}
+ flagutil.RegisterSecretFlag("notifier.headers")
}
func notifiersFromFlags(gen AlertURLGenerator) ([]Notifier, error) {
diff --git a/app/vmalert/remoteread/init.go b/app/vmalert/remoteread/init.go
index f43c713d3c081..3ac54666b656b 100644
--- a/app/vmalert/remoteread/init.go
+++ b/app/vmalert/remoteread/init.go
@@ -59,6 +59,7 @@ func InitSecretFlags() {
if !*showRemoteReadURL {
flagutil.RegisterSecretFlag("remoteRead.url")
}
+ flagutil.RegisterSecretFlag("remoteRead.headers")
}
// Init creates a Querier from provided flag values.
diff --git a/app/vmalert/remotewrite/init.go b/app/vmalert/remotewrite/init.go
index 35185c6413534..380c0218bb1a1 100644
--- a/app/vmalert/remotewrite/init.go
+++ b/app/vmalert/remotewrite/init.go
@@ -62,6 +62,7 @@ func InitSecretFlags() {
if !*showRemoteWriteURL {
flagutil.RegisterSecretFlag("remoteWrite.url")
}
+ flagutil.RegisterSecretFlag("remoteWrite.headers")
}
// Init creates Client object from given flags.