VictoriaMetrics

v1.143.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 23d Monitoring & Metrics

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

database grafana graphite influxdb kubernetes monitoring

+7 more

observability opentelemetry opentsdb prometheus promql thanos tsdb

ReleasePort's take

Moderate signal

editorial:auto 13d

Upgrade the Go builder from version 1.26.2 to 1.26.3 across all VictoriaMetrics components.

Why it matters: Patch immediately; the upgrade resolves security issues in Go 1.26.2 that affect every component.

Summary

AI summary

Upgrade Go builder from version 1.26.2 to 1.26.3 addressing security issues.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	upgrade Go builder from Go1.26.2 to Go1.26.3 upgrade Go builder from Go1.26.2 to Go1.26.3 Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	suppress TCP health check errors when -tls flag is set suppress TCP health check errors when -tls flag is set Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	add __meta_hetzner_robot_datacenter label for robot role in hetzner_sd_configs add __meta_hetzner_robot_datacenter label for robot role in hetzner_sd_configs Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	add -rule.stripFilePath to support stripping rule file paths add -rule.stripFilePath to support stripping rule file paths Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	add formatTime template function for formatting Unix timestamps add formatTime template function for formatting Unix timestamps Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	support Prometheus native histogram during ingestion support Prometheus native histogram during ingestion Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	introduce vm_fs_info metric exposing filesystem type for -Path flags introduce vm_fs_info metric exposing filesystem type for -Path flags Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	add Kafka (Enterprise) dashboard rows for monitoring traffic and errors add Kafka (Enterprise) dashboard rows for monitoring traffic and errors Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	properly obtain __meta_hetzner_hcloud_location and __meta_hetzner_hcloud_location_network_zone labels for hetzner_sd_configs properly obtain __meta_hetzner_hcloud_location and __meta_hetzner_hcloud_location_network_zone labels for hetzner_sd_configs Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	properly discover addresses of storage nodes with enterprise automatic-vmstorage-discovery properly discover addresses of storage nodes with enterprise automatic-vmstorage-discovery Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	respect disabling retries via -maxRequestBodySizeToRetry=0 in vmauth respect disabling retries via -maxRequestBodySizeToRetry=0 in vmauth Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	attempt to route requests to first backend when all backends are broken in vmauth attempt to route requests to first backend when all backends are broken in vmauth Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	prioritize extra_label and extra_filters from URL query over request body in vmsingle and vmselect prioritize extra_label and extra_filters from URL query over request body in vmsingle and vmselect Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	explicitly set MD5 checksum for DeleteObjects requests in vmbackupmanager explicitly set MD5 checksum for DeleteObjects requests in vmbackupmanager Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	set CORS headers on /api/v1/export, /api/v1/export/csv, /api/v1/export/native endpoints set CORS headers on /api/v1/export, /api/v1/export/csv, /api/v1/export/native endpoints Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

v1.143.0

Released at 2026-05-08

SECURITY: upgrade Go builder from Go1.26.2 to Go1.26.3. See the list of issues addressed in Go1.26.3.
FEATURE: all VictoriaMetrics components: suppress TCP health check errors when -tls flag is set. See #10538.
FEATURE: vmagent and vmsingle: add __meta_hetzner_robot_datacenter label for robot role in hetzner_sd_configs. See #10909. Thanks to @juliusrickert for contribution.
FEATURE: vmalert: add -rule.stripFilePath to support stripping rule file paths in logs and all API responses, including /metrics. See #5625.
FEATURE: vmalert: add formatTime template function for formatting a Unix timestamp using the provided layout. For example, {{ now | formatTime "2006-01-02T15:04:05Z07:00" }} returns the current time in RFC3339 format. See issue #10624. Thanks to @andriibeee for the contribution.
FEATURE: vmagent, vmsingle, vminsert in VictoriaMetrics cluster: add support for Prometheus native histogram during ingestion. See #10743.
FEATURE: vmagent, vmsingle, vmselect in VictoriaMetrics cluster and vmstorage in VictoriaMetrics cluster: introduce the vm_fs_info metric. It exposes the filesystem type (e.g., ext4, xfs, nfs) used for -*Path related flags. See #10482.
FEATURE: dashboards/vmagent: add Kafka (Enterprise) row with panels for monitoring traffic (bytes), messages in/out, producer and consumer errors. See #10728.
BUGFIX: vmagent and vmsingle: properly obtain __meta_hetzner_hcloud_location and __meta_hetzner_hcloud_location_network_zone labels for hetzner_sd_configs. Hetzner changed discovery API response and returns location information from different field. See #10909. Thanks to @juliusrickert for contribution.
BUGFIX: vminsert in VictoriaMetrics cluster: properly discover addresses of storage nodes with enterprise automatic-vmstorage-discovery. Bug was introduced at v1.141.0.
BUGFIX: vmauth: now correctly respects disabling retries via -maxRequestBodySizeToRetry=0. Previously, disabling retries required setting both -maxRequestBodySizeToRetry and -requestBufferSize to 0. See #10857. Thanks to @andriibeee for the contribution.
BUGFIX: vmbackupmanager: explicitly set the MD5 checksum for DeleteObjects requests. Starting with aws-sdk-go-v2/service/s3 v1.73.0, the SDK switched the checksum algorithm from MD5 to CRC32, which can break compatibility with some third-party S3 implementations, including Dell ECS. See #10907.
BUGFIX: vmauth: attempt to route requests to the first backend when all backends are marked as broken. Previously, vmauth returned an error immediately without attempting any backend. This change may improve success rate in rare edge cases. See #10837.
BUGFIX: vmsingle: and vmselect in VictoriaMetrics cluster: give priority to extra_label and extra_filters[] params defined in URL query string over those defined in request body form, to properly respect constraints imposed by vmauth. See #10908.
BUGFIX: vmsingle and vmselect in VictoriaMetrics cluster: set CORS headers on /api/v1/export, /api/v1/export/csv and /api/v1/export/native. See #10899. Thanks to @andriibeee for the contribution.

Security Fixes

SECURITY: upgrade Go builder from Go1.26.2 to Go1.26.3 (addresses issues listed in https://github.com/golang/go/issues?q=milestone%3AGo1.26.3%20label%3ACherryPickApproved)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track VictoriaMetrics

Get notified when new releases ship.

About VictoriaMetrics

VictoriaMetrics: fast, cost-effective monitoring solution and time series database

All releases →