Skip to content

Release history

prometheus releases

The Prometheus monitoring system and time series database.

Back to tool Latest release

All releases

11 shown

Upgrade now
v3.12.0 Breaking risk
Auth RCE / SSRF

Reject oversized snappy remote writes; fix secret exposure

Open
v3.11.3 Security relevant
Security fixes
  • AzureAD OAuth client_secret exposed in plaintext via /-/config endpoint (CVE-2026-42151, GHSA-wg65-39gg-5wfj)
  • Remote-read snappy-compressed requests with excessive decoded length (CVE-2026-42154, GHSA-8rm2-7qqf-34qm)
  • Old UI stored XSS via unescaped le label values in heatmap (GHSA-fw8g-cg8f-9j28)
Full changelog

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

  • Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

  • Brett Gervasoni for the AzureAD OAuth client_secret vulnerability.

  • @iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.

  • [SECURITY] AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18590

  • [SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18584

  • [SECURITY] UI: Fix stored XSS via unescaped le label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18588

View release on GitHub
v3.5.3 Security relevant
Security fixes
  • AzureAD OAuth client_secret exposure via /-/config endpoint (GHSA-wg65-39gg-5wfj / CVE-2026-42151)
  • Remote-Write snappy decompression decode limit bypass
  • Remote-Read snappy decompression decode limit bypass (GHSA-8rm2-7qqf-34qm / CVE-2026-42154)
Full changelog

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

  • Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
  • Brett Gervasoni for the AzureAD OAuth client_secret vulnerability.
  • @iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.
  • [SECURITY] AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18587
  • [SECURITY] Remote-Write: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. #18591
  • [SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18585
  • [SECURITY] UI: Fix stored XSS via unescaped le label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18589
View release on GitHub
v3.11.2 Security relevant
Security fixes
  • Stored XSS via unescaped metric names and labels (CVE-2026-40179)
Notable features
  • Consul SD: Introduced health_filter field for Health API filtering
  • Consul SD: Fixed filter parameter application in Health API
View release on GitHub
v3.5.2 Security relevant
Security fixes
  • Stored XSS via unescaped metric names and labels (CVE-2026-40179)
Notable features
  • Regex: Performance optimization by removing Simplify call
View release on GitHub
v3.11.1 Bug fix

- [BUGFIX] Tracing: Fix startup failure for OTLP HTTP tracing with `insecure: true`. #18469

View release on GitHub
v3.11.0 New feature
Notable features
  • AWS Elasticache and RDS discovery
  • Azure Workload Identity support
  • Native histogram operators
View release on GitHub
v3.10.0 New feature
Breaking changes
  • Alert annotations are now hidden by default on /alerts page
Notable features
  • Distroless Docker image variant with minimal base and UID/GID 65532
  • PromQL fill()/fill_left()/fill_right() binop modifiers for default values
  • OpenAPI 3.2 specification at /api/v1/openapi.yaml
View release on GitHub
v3.5.1 Maintenance

Long-term support release with dependency updates including Docker library upgrade from 28.2.2 to 28.5.2 and built with Go 1.24.11 for stability and security.

View release on GitHub
v3.9.1 Bugfix

Bug fix release addressing agent crash on startup from invalid object types and metric scraping relabel keep/drop configuration issues.

View release on GitHub
v3.9.0 Breaking risk
Breaking changes
  • Native Histograms feature flag `native-histogram` is now a no-op; must use `scrape_native_histograms` config option instead
  • TSDB API now enforces maximum limit of 10,000 sets of statistics on status endpoint
Notable features
  • Native Histograms production-ready and integrated throughout system
  • New /api/v1/features endpoint for client feature discovery
  • PromQL histogram support in Rules, SD, and Scraping
View release on GitHub

Beta — feedback welcome: [email protected]