prometheus

v3.5.3 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 1mo Monitoring & Metrics

✓ No known CVEs patched

This release patches 4 known CVEs

Topics

alerting graphing prometheus monitoring time-series

Summary

AI summary

Fixes four security vulnerabilities in AzureAD OAuth, snappy decompression, and UI XSS.

Full changelog

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
Brett Gervasoni for the AzureAD OAuth client_secret vulnerability.
@iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.

[SECURITY] AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18587
[SECURITY] Remote-Write: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. #18591
[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18585
[SECURITY] UI: Fix stored XSS via unescaped le label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18589

AzureAD OAuth client_secret exposure via /-/config endpoint (GHSA-wg65-39gg-5wfj / CVE-2026-42151)
Remote-Write snappy decompression decode limit bypass
Remote-Read snappy decompression decode limit bypass (GHSA-8rm2-7qqf-34qm / CVE-2026-42154)
Stored XSS in old UI heatmap chart via unescaped le label values (GHSA-fw8g-cg8f-9j28)

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track prometheus

Get notified when new releases ship.

About prometheus

The Prometheus monitoring system and time series database.