<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Quarkslab's blog - cortex</title><link href="http://blog.quarkslab.com/" rel="alternate"></link><link href="http://blog.quarkslab.com/feeds/cortex.rss.xml" rel="self"></link><id>http://blog.quarkslab.com/</id><updated>2026-07-06T00:00:00+02:00</updated><entry><title>Cortex Security Audit</title><link href="http://blog.quarkslab.com/cortex-security-audit.html" rel="alternate"></link><published>2026-07-06T00:00:00+02:00</published><updated>2026-07-06T00:00:00+02:00</updated><author><name>Pentesters</name></author><id>tag:blog.quarkslab.com,2026-07-06:/cortex-security-audit.html</id><summary type="html">&lt;p&gt;At the request of the &lt;a href="https://ostif.org/"&gt;Open Source Technology Improvement Fund&lt;/a&gt; (OSTIF), Quarkslab performed a security audit of &lt;a href="https://cortexmetrics.io/"&gt;Cortex&lt;/a&gt;, evaluating the security of its multi-tenant design and the mechanisms protecting tenant isolation.&lt;/p&gt;</summary><content type="html">&lt;h1 id="introduction"&gt;Introduction&lt;/h1&gt;
&lt;p&gt;&lt;a href="https://cortexmetrics.io/"&gt;Cortex&lt;/a&gt; is an open-source, horizontally scalable, highly available, multi-tenant time-series data store designed for Prometheus metrics. It enables organizations to run Prometheus at scale by providing long-term storage, global querying, and high availability across multiple Prometheus instances.&lt;/p&gt;
&lt;p&gt;As part of OSTIF's continuous effort to improve the security of critical open-source infrastructure, Quarkslab performed a security assessment of Cortex. The audit focused on one of the project's core security properties: ensuring strong isolation between tenants in multi-tenant environments.&lt;/p&gt;
&lt;h1 id="scope"&gt;Scope&lt;/h1&gt;
&lt;p&gt;Given the time allocated to the engagement, the assessment focused on the components and security mechanisms responsible for tenant isolation and data segregation. The review was driven by a threat model prepared ahead of the audit, allowing Quarkslab to concentrate on the attack surfaces most relevant to multi-tenant security.&lt;/p&gt;
&lt;p&gt;The assessment covered the &lt;a href="https://github.com/cortexproject/cortex"&gt;Cortex codebase&lt;/a&gt; at commit b4f5cfc37d83719040de7ca997ec125304a6b766.&lt;/p&gt;
&lt;p&gt;The complete technical report, including our findings and recommendations, is available in Quarkslab's &lt;a href="https://github.com/quarkslab/public-reports"&gt;public reports repository&lt;/a&gt;.&lt;/p&gt;
&lt;h1 id="findings"&gt;Findings&lt;/h1&gt;
&lt;p&gt;The table below summarizes the findings of the audit. A total of 7 vulnerabilities were identified: 6 of medium severity and 1 of low severity.&lt;/p&gt;
&lt;table class="table table-striped"&gt;
&lt;thead&gt;
&lt;th&gt;ID&lt;/th&gt;
&lt;th&gt;Title&lt;/th&gt;
&lt;th&gt;Risk&lt;/th&gt;
&lt;th&gt;Impact&lt;/th&gt;
&lt;th&gt;Probability&lt;/th&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;th class="no-wrap" scope="row"&gt;V01&lt;/th&gt;
&lt;td&gt;Tenant impersonation via PushStream gRPC&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;High&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;th class="no-wrap" scope="row"&gt;V02&lt;/th&gt;
&lt;td&gt;Stored cross-site scripting - XSS&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;Marginal&lt;/td&gt;
&lt;td&gt;Moderate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;th class="no-wrap" scope="row"&gt;V03&lt;/th&gt;
&lt;td&gt;Sensitive information leakage&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;Marginal&lt;/td&gt;
&lt;td&gt;Moderate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;th class="no-wrap" scope="row"&gt;V04&lt;/th&gt;
&lt;td&gt;Unbound Gzip decompression&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;Marginal&lt;/td&gt;
&lt;td&gt;Moderate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;th class="no-wrap" scope="row"&gt;V05&lt;/th&gt;
&lt;td&gt;Uncontrolled memory allocation via protobuf histogram&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;Marginal&lt;/td&gt;
&lt;td&gt;Moderate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;th class="no-wrap" scope="row"&gt;V06&lt;/th&gt;
&lt;td&gt;Unbounded read on gossip connections&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;Marginal&lt;/td&gt;
&lt;td&gt;Moderate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;th class="no-wrap" scope="row"&gt;V07&lt;/th&gt;
&lt;td&gt;Gossip packet integrity check not enforced&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;Negligible&lt;/td&gt;
&lt;td&gt;Moderate&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt;
All findings have since been resolved, using either the fixes the auditors recommended or alternative mitigations with equivalent effect.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h1 id="conclusion"&gt;Conclusion&lt;/h1&gt;
&lt;p&gt;Overall, the assessment showed that Cortex benefits from a solid engineering foundation. The project shows good code quality, extensive test coverage, and strong observability features, all of which contribute to its maintainability and resilience. During the audit, we nevertheless identified several security issues, including a tenant impersonation vulnerability in the PushStream gRPC handler, a stored cross-site scripting (XSS) vulnerability, and an information disclosure issue exposing sensitive credentials through the /config endpoint.&lt;/p&gt;
&lt;p&gt;Beyond these findings, the audit also highlighted opportunities to further strengthen the project's security posture by adopting more secure default configurations, centralizing input validation, and keeping third-party dependencies up to date. Addressing these areas will help reinforce Cortex's security as it continues to evolve.&lt;/p&gt;
&lt;p&gt;We would like to thank the Cortex maintainers for their responsiveness and collaboration throughout the audit process. We also extend our gratitude to OSTIF for sponsoring and coordinating this assessment.&lt;/p&gt;
&lt;h1 id="further-reading"&gt;Further reading&lt;/h1&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://ostif.org/cortex-audit-complete/"&gt;OSTIF blog post&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;</content><category term="Software"></category><category term="audit"></category><category term="OSTIF"></category><category term="cortex"></category><category term="2026"></category></entry></feed>