Prometheus | v3.11.3

Prometheus v3.11.3 released on 27-04-2026


Prometheus v3.11.3 is out now. It fixes multiple security vulnerabilities affecting remote-read, AzureAD remote-write OAuth client_secret exposure, and a stored XSS in the old UI.

Users should consult the Prometheus GitHub release notes and the linked PRs for full technical details and remediation steps.

What’s in this release

  • AzureAD remote write: fixes OAuth client_secret being exposed in plaintext via the /-/config endpoint (CVE-2026-42151, GHSA-wg65-39gg-5wfj).
  • Remote-read: rejects snappy-compressed requests whose declared decoded length exceeds the configured decode limit, closing a snappy decode vulnerability (CVE-2026-42154, GHSA-8rm2-7qqf-34qm).
  • Old UI: fixes a stored XSS via unescaped le label values in heatmap chart tick labels (GHSA-fw8g-cg8f-9j28).

Upgrade notes

  • No breaking changes reported. Upgrade to v3.11.3 immediately to receive the security fixes and follow the remediation guidance in the linked PRs; rotate any AzureAD client_secrets that may have been exposed.
  • Rollback: if you must revert to an earlier release, assume affected secrets or sessions may already be exposed and rotate credentials and sessions where appropriate.

Please share comments on your upgrade experience or any issues you encounter.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes