The Open Source Technology Improvement Fund (OSTIF) published the results of a security audit of Cortex, the open source long-term, multi-tenant scalable storage system used with Prometheus and OpenTelemetry. The whitebox assessment was carried out by two Quarkslab auditors in early spring 2026 and covered discovery, threat-model review, static code analysis, and dynamic testing, with particular focus on tenant-boundary security and cluster operations.
The audit identified seven findings with security impact, alongside documentation issues and recommendations for future security work. OSTIF said all seven security findings have received verified fixes, and it urged users to update to the latest Cortex release to obtain the remediations. Quarkslab separately published technical details on the audit in its own write-up.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
OSTIF reported that all seven audit findings had received verified fixes and advised users to update to the most recent Cortex release.
The audit found seven issues with security impact in Cortex, along with documentation and recommendations for future security development.
In early spring 2026, two Quarkslab auditors performed a whitebox security assessment of Cortex covering discovery, threat-model review, static code analysis, and dynamic testing, with emphasis on tenant boundary security and cluster operations.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.