VictoriaMetrics

v1.136.9

Released at 2026-05-08

v1.136.x is a line of LTS releases. It contains important up-to-date bugfixes for VictoriaMetrics enterprise.
All these fixes are also included in the latest community release.
The v1.136.x line will be supported for at least 12 months since v1.136.0 release

• SECURITY: upgrade Go builder from Go1.26.2 to Go1.26.3. See the list of issues addressed in Go1.26.3.

• BUGFIX: vmagent and vmsingle: properly obtain __meta_hetzner_hcloud_location and __meta_hetzner_hcloud_location_network_zone labels for hetzner_sd_configs. Hetzner changed discovery API response and returns location information from different field. See #10909. Thanks to @juliusrickert for contribution.

• BUGFIX: vmauth: now correctly respects disabling retries via -maxRequestBodySizeToRetry=0. Previously, disabling retries required setting both -maxRequestBodySizeToRetry and -requestBufferSize to 0. See #10857. Thanks to @andriibeee for the contribution.

• BUGFIX: vmbackupmanager: explicitly set the MD5 checksum for DeleteObjects requests. Starting with aws-sdk-go-v2/service/s3 v1.73.0, the SDK switched the checksum algorithm from MD5 to CRC32, which can break compatibility with some third-party S3 implementations, including Dell ECS. See #10907.

• BUGFIX: vmauth: attempt to route requests to the first backend when all backends are marked as broken. Previously, vmauth returned an error immediately without attempting any backend. This change may improve success rate in rare edge cases. See #10837.

• BUGFIX: vmsingle: and vmselect in VictoriaMetrics cluster: give priority to extra_label and extra_filters[] params defined in URL query string over those defined in request body form, to properly respect constraints imposed by vmauth. See #10908.

• BUGFIX: vmsingle and vmselect in VictoriaMetrics cluster: set CORS headers on /api/v1/export, /api/v1/export/csv and /api/v1/export/native. See #10899. Thanks to @andriibeee for the contribution.