Prometheus v3.11.2 released on 13-04-2026
Prometheus v3.11.2 is out now. It fixes a stored cross-site scripting vulnerability in the web UI (CVE-2026-40179) and adds Consul service discovery improvements that reduce client-side filtering work.
Visit the Prometheus GitHub release page for full details, changelog and the linked pull requests.
What’s in this release
- [SECURITY] UI: Fix stored XSS via unescaped metric names and labels shown in tooltips and the metrics explorer; metric names and labels are now properly escaped to prevent script injection. CVE-2026-40179. Credit: Duc Anh Nguyen (TinyxLab). (PR #18506)
- [ENHANCEMENT] Consul SD: Introduce a new consul_sd field,
health_filter, to pass a filter expression to Consul’s Health API for server-side filtering of health checks and services. (PR #18499) - [BUGFIX] Consul SD: Correct application of the filter parameter to Consul’s Health API so intended filtering is applied as expected. (PR #18499)
Upgrade notes
- Security release — upgrade to v3.11.2 immediately if the web UI is exposed or the instance ingests untrusted metrics; see CVE-2026-40179 and PR #18506 for context.
- No breaking changes reported; follow your normal upgrade procedure and test in staging before rolling to production.
Share comments on your upgrade experience or any issues you encounter with the new release.
