Prometheus | v3.11.3

Prometheus v3.11.3 released on 27-04-2026

Prometheus v3.11.3 is out now. Operators should upgrade to protect OAuth client secrets, enforce snappy decode limits to avoid decompression-related resource exhaustion, and remove a stored XSS vector in the old UI.

See the Prometheus GitHub release page for full notes and downloads.

What’s in this release

• AzureAD remote_write: fixes an information disclosure where the OAuth client_secret could be returned in plaintext via the /-/config endpoint (GHSA-wg65-39gg-5wfj / CVE-2026-42151).
• Remote-read: adds validation to reject snappy-compressed requests whose declared decoded length exceeds the configured decode limit, preventing decompression-related resource exhaustion (GHSA-8rm2-7qqf-34qm / CVE-2026-42154).
• Old UI: fixes a stored cross-site scripting issue where unescaped le label values could appear in heatmap chart tick labels and execute script (GHSA-fw8g-cg8f-9j28).

Upgrade notes

• Upgrade to v3.11.3 and rotate any client_secret values that may have been exposed (CVE-2026-42151).
• Ensure your remote-read decode limit is configured so snappy-compressed requests with excessive declared decoded lengths are rejected; upgrading to v3.11.3 enforces this check (CVE-2026-42154).

Share your experience with the upgrade or report any issues on the project’s GitHub.