Prometheus 3.5.3

Release · · Official release notes ↗

← All Prometheus releases · Searchable index of all 403 changes

Changelog

PR / issue Type Description
Change Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
Change Brett Gervasoni for the AzureAD OAuth client_secret vulnerability.
Change and for the Old UI XSS vulnerability.
#18587 Security AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151
#18591 Security Remote-Write: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit.
#18585 Security Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154
#18589 Security UI: Fix stored XSS via unescaped le label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28

Reproduced from the official Prometheus 3.5.3 release notes. Last checked 7 Jul 2026, 21:23 UTC.