VictoriaMetrics

v1.144.0 Feature

This release adds 6 notable features for engineering teams evaluating rollout.

Published 9d Monitoring & Metrics

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

database grafana graphite influxdb kubernetes monitoring

+7 more

observability opentelemetry opentsdb prometheus promql thanos tsdb

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 9d

Release v1.144.0 hides sensitive header and proxy URL values from logs, metrics, and flags across vmalert components; also fixes MTLS regression between vmstorage and vminsert.

Why it matters: Security: prevents exposure of authentication headers and proxy URLs (severity 80). Bugfix: restores proper MTLS connection for vmstorage↔vminsert after regression introduced in v1.130.0 (severity 70).

Summary

AI summary

Broad release touches v1.144.0 Released at 2026-05-22, BUGFIX, FEATURE, and https://docs.victoriametrics.com/victoriametrics/vmagent/.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Hide values passed to `-remoteWrite.headers` in logs, `/metrics`, and `/flags`. Hide values passed to `-remoteWrite.headers` in logs, `/metrics`, and `/flags`. Source: llm_adapter@2026-05-25 Confidence: high	—
Security	High	Hide values passed to `-remoteWrite.proxyURL` in logs, `/metrics`, and `/flags`. Hide values passed to `-remoteWrite.proxyURL` in logs, `/metrics`, and `/flags`. Source: llm_adapter@2026-05-25 Confidence: high	—
Security	High	Hide values passed to `-remoteWrite.headers`, `remoteRead.headers`, `datasource.headers`, and `notifier.headers` in vmalert logs, `/metrics`, and `/flags`. Hide values passed to `-remoteWrite.headers`, `remoteRead.headers`, `datasource.headers`, and `notifier.headers` in vmalert logs, `/metrics`, and `/flags`. Source: llm_adapter@2026-05-25 Confidence: high	—
Security	High	Hide values passed to `vmalert.proxyURL` in logs, `/metrics`, and `/flags`. Hide values passed to `vmalert.proxyURL` in logs, `/metrics`, and `/flags`. Source: llm_adapter@2026-05-25 Confidence: high	—
Feature
Feature	Medium	Add `basicAuth.usernameFile` flag to vmagent and vmalert for reading usernames from a file. Add `basicAuth.usernameFile` flag to vmagent and vmalert for reading usernames from a file. Source: llm_adapter@2026-05-25 Confidence: high	—
Feature	Medium	Add `clusternative.tls` flag to vminsert for multi‑level VictoriaMetrics cluster setups. Add `clusternative.tls` flag to vminsert for multi‑level VictoriaMetrics cluster setups. Source: llm_adapter@2026-05-25 Confidence: high	—
Feature	Medium	Add `-opentelemetry.labelNameUnderscoreSanitization` flag to control label sanitization when OpenTelemetry Prometheus naming is enabled. Add `-opentelemetry.labelNameUnderscoreSanitization` flag to control label sanitization when OpenTelemetry Prometheus naming is enabled. Source: llm_adapter@2026-05-25 Confidence: high	—
Feature	Low	Improve logging for `-memory.allowedBytes` to warn about values <1MB. Improve logging for `-memory.allowedBytes` to warn about values <1MB. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Feature	Low	Drain in-memory remote write queue on vmagent shutdown within a 5‑second grace period before persisting blocks to disk. Drain in-memory remote write queue on vmagent shutdown within a 5‑second grace period before persisting blocks to disk. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Feature	Low	Improve slowness-based rerouting in vminsert to prevent rerouting storms under high cluster load; activates only when p90 saturation <60% and slowest node >20% slower than p90. Improve slowness-based rerouting in vminsert to prevent rerouting storms under high cluster load; activates only when p90 saturation <60% and slowest node >20% slower than p90. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Feature	Low	Add `{{.MetricsAccountID}}` and `{{.MetricsProjectID}}` JWT claim placeholders to vmauth for use in headers and url_prefix config fields. Add `{{.MetricsAccountID}}` and `{{.MetricsProjectID}}` JWT claim placeholders to vmauth for use in headers and url_prefix config fields. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Feature	Low	Display null values on vmui Raw Query chart, showing NaN or stale markers instead of dropping them. Display null values on vmui Raw Query chart, showing NaN or stale markers instead of dropping them. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Bugfix
Bugfix	High	Properly establish mtls connection between vmstorage and vminsert after regression in v1.130.0. Properly establish mtls connection between vmstorage and vminsert after regression in v1.130.0. Source: llm_adapter@2026-05-25 Confidence: high	—
Bugfix	Medium	Prevent unintentional rerouting of samples when a blocked remote‑write target lacks `-remoteWrite.disableOnDiskQueue`. Prevent unintentional rerouting of samples when a blocked remote‑write target lacks `-remoteWrite.disableOnDiskQueue`. Source: llm_adapter@2026-05-25 Confidence: high	—
Bugfix	Medium	Return error on startup if `-remoteWrite.disableOnDiskQueue` is not uniformly configured across all remote‑write URLs when sharding is enabled. Return error on startup if `-remoteWrite.disableOnDiskQueue` is not uniformly configured across all remote‑write URLs when sharding is enabled. Source: llm_adapter@2026-05-25 Confidence: high	—
Bugfix	Medium	Stop emitting stale quantile outputs in stream aggregation when a time series has no samples during the current interval. Stop emitting stale quantile outputs in stream aggregation when a time series has no samples during the current interval. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Bugfix	Medium	Extend delay on aggregation windows flush by the biggest sample lag, preventing premature rejection of outliers as "too old". Extend delay on aggregation windows flush by the biggest sample lag, preventing premature rejection of outliers as "too old". Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Bugfix	Medium	Fix cardinality limiter bug in vmagent where series with different labels were incorrectly treated as identical and dropped. Fix cardinality limiter bug in vmagent where series with different labels were incorrectly treated as identical and dropped. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Bugfix	Medium	Make `-denyQueriesOutsideRetention` also reject queries whose end time exceeds `-futureRetention` in vmsingle and vmselect. Make `-denyQueriesOutsideRetention` also reject queries whose end time exceeds `-futureRetention` in vmsingle and vmselect. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Bugfix	Medium	Fix int64 overflow when parsing timestamp parameters with relative durations across all VictoriaMetrics components. Fix int64 overflow when parsing timestamp parameters with relative durations across all VictoriaMetrics components. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Bugfix	Low	Fix panic in vmrestore when `-storageDataPath` ends with a trailing slash. Fix panic in vmrestore when `-storageDataPath` ends with a trailing slash. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Bugfix	Low	Preserve exact series values in vmui graph tooltips without rounding. Preserve exact series values in vmui graph tooltips without rounding. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—
Bugfix	Low	Add missing `__timestamp__` and `__value__` columns to CSV exported from vmui table view on the Query tab. Add missing `__timestamp__` and `__value__` columns to CSV exported from vmui table view on the Query tab. Source: granite4.1:30b@2026-05-25-audit Confidence: low	—

Full changelog

v1.144.0

Released at 2026-05-22

FEATURE: all VictoriaMetrics components: improve logging for the -memory.allowedBytes flag to warn about excessively low value (less than 1MB). See issue #10935.
FEATURE: vmagent and vmalert: add basicAuth.usernameFile command-line flags for reading basic auth username from a file, similar to the existing basicAuth.passwordFile. The file is re-read every second. See #9436. Thanks to @kimjune01 for the contribution.
FEATURE: vminsert in VictoriaMetrics cluster: add clusternative.tls vminsert configuration flags for multi-level cluster setups. See #10958.
FEATURE: vmsingle, vminsert in VictoriaMetrics cluster and vmagent: add -opentelemetry.labelNameUnderscoreSanitization command-line flag to control whether to enable prepending of key to labels starting with _ when -opentelemetry.usePrometheusNaming is enabled. See OpenTelemetry docs and #9663. Thanks to @andriibeee for the contribution.
FEATURE: vmui: improve the Top Queries table UI. Duration columns now display human-readable values (e.g. 1.23s) instead of raw seconds, memory column shows human-readable sizes (e.g. 1.23 MB), instant queries are labeled as instant instead of empty string, and column headers now show tooltips with descriptions. See #10790.
FEATURE: vmagent: drain in-memory remote write queue on shutdown within the 5-second grace period before falling back to persisting blocks to disk. See #9996
FEATURE: vminsert in VictoriaMetrics cluster: Improve slowness-based rerouting to prevent rerouting storms under high cluster load. Previously, rerouting could cascade across storage nodes when the whole cluster was saturated, making the situation worse. Now rerouting only activates when the cluster p90 saturation is below 60%, and the slowest node is more than 20% slower than p90. See #10876.
FEATURE: vmauth: add {{.MetricsAccountID}} and {{.MetricsProjectID}} JWT claim placeholders for use in headers and url_prefix config fields. Previously, only the combined {{.MetricsTenant}} (accountID:projectID) JWT placeholder was supported, making it impossible to configure multitenancy via headers. See #10927. Thanks to @Vinayak9769 for the contribution.
FEATURE: vmui: display null values on Raw Query chart. null values can be actual NaN or null values exposed by the exporter, or stale markers. Before, vmui Raw Query was silently dropping non-numeric values. Displaying such values on the chart could improve the debugging experience. See #10986.
BUGFIX: stream aggregation: stop emitting stale values for quantiles(...) outputs when a time series has no samples during the current aggregation interval. See #10918. Thanks to @alexei38 for the contribution.
BUGFIX: stream aggregation: extend delay on aggregation windows flush by the biggest lag among pushed samples. Before, the delay was calculated as 95th percentile across samples, which could underrepresent outliers and reject them from aggregation as "too old". See #10402.
BUGFIX: vmagent: fix a bug in cardinality limiters where series with different labels, like {a="bc"} and {ab="c"}, could be incorrectly treated as identical and dropped. See #10937.
BUGFIX: vmagent: hide values passed to -remoteWrite.headers in startup logs, /metrics, and /flags, since they can contain sensitive HTTP headers such as Authorization and API keys.
BUGFIX: vmagent: hide values passed to -remoteWrite.proxyURL in startup logs, /metrics, and /flags, since they can contain sensitive credentials.
BUGFIX: vmalert: hide values passed to -remoteWrite.headers,remoteRead.headers, datasource.headers and notifier.headers in startup logs, /metrics, and /flags, since they can contain sensitive HTTP headers such as Authorization and API keys.
BUGFIX: vminsert in VictoriaMetrics cluster: properly establish mtls connection between vmstorage and vminsert. Regression was introduced in v1.130.0 release for the enterprise version of vmstorage. See #10972.
BUGFIX: vmrestore: fix a bug where specifying -storageDataPath with a trailing slash could cause vmrestore to panic. See #10823. Thanks to @utafrali for the contribution.
BUGFIX: vmagent: prevent unintentional rerouting of samples to other sharding targets when one of the -remoteWrite.url targets with -remoteWrite.disableOnDiskQueue becomes blocked. Previously this could break the sharding guarantee by sending samples to wrong targets instead of dropping or retrying them. See #10507.
BUGFIX: vmagent: return error on startup if -remoteWrite.disableOnDiskQueue is not configured uniformly across all -remoteWrite.url targets when -remoteWrite.shardByURL is enabled. Either all targets must have it enabled or all must have it disabled. See #10507.
BUGFIX: vmsingle and vmselect in VictoriaMetrics cluster: hide values passed to vmalert.proxyURL in startup logs, /metrics, and /flags, since they can contain sensitive HTTP headers such as Authorization and API keys.
BUGFIX: vmui: preserve exact series values in graph tooltips instead of rounding them by significant digits. See #10952.
BUGFIX: all VictoriaMetrics components: fix int64 overflow when parsing timestamp parameters with relative durations. See #10880.
BUGFIX: vmsingle and vmstorage in VictoriaMetrics cluster: -denyQueriesOutsideRetention now also rejects queries whose end time is beyond -futureRetention. See #10879.
BUGFIX: vmui: add missing __timestamp__ and __value__ columns to CSV exported from the table view on the Query tab. See #10975.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track VictoriaMetrics

Get notified when new releases ship.

About VictoriaMetrics

VictoriaMetrics: fast, cost-effective monitoring solution and time series database

All releases →

VictoriaMetrics

ReleasePort's take

Summary

Changes in this release

v1.144.0

Related context

Related tools