At the request of the Open Source Technology Improvement Fund (OSTIF), Quarkslab performed a security audit of Cortex, evaluating the security of its multi-tenant design and the mechanisms protecting tenant isolation.


Introduction

Cortex is an open-source, horizontally scalable, highly available, multi-tenant time-series data store designed for Prometheus metrics. It enables organizations to run Prometheus at scale by providing long-term storage, global querying, and high availability across multiple Prometheus instances.

As part of OSTIF's continuous effort to improve the security of critical open-source infrastructure, Quarkslab performed a security assessment of Cortex. The audit focused on one of the project's core security properties: ensuring strong isolation between tenants in multi-tenant environments.

Scope

Given the time allocated to the engagement, the assessment focused on the components and security mechanisms responsible for tenant isolation and data segregation. The review was driven by a threat model prepared ahead of the audit, allowing Quarkslab to concentrate on the attack surfaces most relevant to multi-tenant security.

The assessment covered the Cortex codebase at commit b4f5cfc37d83719040de7ca997ec125304a6b766.

The complete technical report, including our findings and recommendations, is available in Quarkslab's public reports repository.

Findings

The table below summarizes the findings of the audit. A total of 7 vulnerabilities were identified: 6 of medium severity and 1 of low severity.

ID Title Risk Impact Probability
V01 Tenant impersonation via PushStream gRPC Medium High Low
V02 Stored cross-site scripting - XSS Medium Marginal Moderate
V03 Sensitive information leakage Medium Marginal Moderate
V04 Unbound Gzip decompression Medium Marginal Moderate
V05 Uncontrolled memory allocation via protobuf histogram Medium Marginal Moderate
V06 Unbounded read on gossip connections Medium Marginal Moderate
V07 Gossip packet integrity check not enforced Low Negligible Moderate

Note: All findings have since been resolved, using either the fixes the auditors recommended or alternative mitigations with equivalent effect.

Conclusion

Overall, the assessment showed that Cortex benefits from a solid engineering foundation. The project shows good code quality, extensive test coverage, and strong observability features, all of which contribute to its maintainability and resilience. During the audit, we nevertheless identified several security issues, including a tenant impersonation vulnerability in the PushStream gRPC handler, a stored cross-site scripting (XSS) vulnerability, and an information disclosure issue exposing sensitive credentials through the /config endpoint.

Beyond these findings, the audit also highlighted opportunities to further strengthen the project's security posture by adopting more secure default configurations, centralizing input validation, and keeping third-party dependencies up to date. Addressing these areas will help reinforce Cortex's security as it continues to evolve.

We would like to thank the Cortex maintainers for their responsiveness and collaboration throughout the audit process. We also extend our gratitude to OSTIF for sponsoring and coordinating this assessment.

Further reading


If you would like to learn more about our security audits and explore how we can help you, get in touch with us!