VictoriaMetrics

v1.122.22 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 23d Monitoring & Metrics

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

database grafana graphite influxdb kubernetes monitoring

+7 more

observability opentelemetry opentsdb prometheus promql thanos tsdb

ReleasePort's take

Light signal

editorial:auto 13d

The Go builder was upgraded from Go1.26.2 to Go1.26.3 to incorporate security fixes, and several bugfixes were applied across service discovery, query parameter handling, and export APIs.

Why it matters: Patch immediately if using the Go builder; the upgrade addresses security vulnerabilities in Go1.26.2.

Summary

AI summary

Fixed Hetzner discovery label extraction, query parameter priority handling, and added CORS headers on export endpoints.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Go builder upgraded from Go1.26.2 to Go1.26.3 for security fixes Go builder upgraded from Go1.26.2 to Go1.26.3 for security fixes Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Hetzner service discovery labels properly obtained after API response change Hetzner service discovery labels properly obtained after API response change Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Query parameters given priority over request body for extra filters Query parameters given priority over request body for extra filters Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	CORS headers added to export API endpoints CORS headers added to export API endpoints Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

v1.122.22

Released at 2026-05-08

v1.122.x is a line of LTS releases. It contains important up-to-date bugfixes for VictoriaMetrics enterprise.
All these fixes are also included in the latest community release.
The v1.122.x line will be supported for at least 12 months since v1.122.0 release

SECURITY: upgrade Go builder from Go1.26.2 to Go1.26.3. See the list of issues addressed in Go1.26.3.
BUGFIX: vmagent and vmsingle: properly obtain __meta_hetzner_hcloud_location and __meta_hetzner_hcloud_location_network_zone labels for hetzner_sd_configs. Hetzner changed discovery API response and returns location information from different field. See #10909. Thanks to @juliusrickert for contribution.
BUGFIX: vmsingle: and vmselect in VictoriaMetrics cluster: give priority to extra_label and extra_filters[] params defined in URL query string over those defined in request body form, to properly respect constraints imposed by vmauth. See #10908.
BUGFIX: vmsingle and vmselect in VictoriaMetrics cluster: set CORS headers on /api/v1/export, /api/v1/export/csv and /api/v1/export/native. See #10899. Thanks to @andriibeee for the contribution.

Security Fixes

Go builder upgraded from Go1.26.2 to Go1.26.3 addressing security issues

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track VictoriaMetrics

Get notified when new releases ship.

About VictoriaMetrics

VictoriaMetrics: fast, cost-effective monitoring solution and time series database

All releases →