Prometheus 3.11.3
← All Prometheus releases · Searchable index of all 403 changes
Changelog
| PR / issue | Type | Description |
|---|---|---|
| — | Change | Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability. |
| — | Change | Brett Gervasoni for the AzureAD OAuth client_secret vulnerability. |
| — | Change | and for the Old UI XSS vulnerability. |
| #18590 | Security | AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 |
| #18584 | Security | Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 |
| #18588 | Security | UI: Fix stored XSS via unescaped le label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 |
Reproduced from the official Prometheus 3.11.3 release notes. Last checked 7 Jul 2026, 21:23 UTC.