Prometheus | v3.13.0

Prometheus v3.13.0 released on 01-07-2026


Prometheus v3.13.0 is out now. The LTS release fixes a UI XSS (upgrade of sanitize-html, CVE-2026-44990), embeds third-party npm dependency licenses in the binary at /assets/third-party-licenses.txt (replacing the npm_licenses archive), and publishes container images to GitHub Container Registry (ghcr.io).

See the project’s GitHub release page or prometheus.io for full details and the complete changelog.

What’s in this release

  • Security and packaging: upgrade of sanitize-html to address a UI XSS (CVE-2026-44990); third-party npm dependency licenses are embedded and served from /assets/third-party-licenses.txt instead of the npm_licenses archive.
  • HTTP clients and redirects: clients no longer forward credentials (Authorization header, basic auth, bearer token, OAuth2, configured headers) when following redirects to a different host, affecting scraping, remote read/write, alerting and service discovery (via prometheus/common v0.69.0; CVE-2025-4673, CVE-2023-45289).
  • PromQL, TSDB and performance: PromQL experimental changes rename duration-expression min()/max() to min_of()/max_of() and add scalar min_of(a,b)/max_of(a,b); TSDB adds runtime selection of float chunk encoding (storage.tsdb.chunk_encoding.floats) and fixes EncXOR2 chunk snapshot encoding to avoid corruption, plus multiple correctness and performance improvements.

Upgrade notes

  • Redirect behaviour change: because credentials are no longer forwarded across hosts on redirects, review scrape and remote_write endpoints that rely on redirects and test authentication paths after upgrading.
  • Rollback: the release notes do not include rollback-specific instructions; follow your standard rollback procedure if you need to revert to an earlier Prometheus release or image.

Share comments on your experience with the upgrade or any issues you encounter.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes