Prometheus v3.13.0 released on 01-07-2026

Prometheus v3.13.0 is out now. The LTS release fixes a UI XSS (upgrade of sanitize-html, CVE-2026-44990), embeds third-party npm dependency licenses in the binary at /assets/third-party-licenses.txt (replacing the npm_licenses archive), and publishes container images to GitHub Container Registry (ghcr.io).
See the project’s GitHub release page or prometheus.io for full details and the complete changelog.
What’s in this release
- Security and packaging: upgrade of sanitize-html to address a UI XSS (CVE-2026-44990); third-party npm dependency licenses are embedded and served from /assets/third-party-licenses.txt instead of the npm_licenses archive.
- HTTP clients and redirects: clients no longer forward credentials (Authorization header, basic auth, bearer token, OAuth2, configured headers) when following redirects to a different host, affecting scraping, remote read/write, alerting and service discovery (via prometheus/common v0.69.0; CVE-2025-4673, CVE-2023-45289).
- PromQL, TSDB and performance: PromQL experimental changes rename duration-expression min()/max() to min_of()/max_of() and add scalar min_of(a,b)/max_of(a,b); TSDB adds runtime selection of float chunk encoding (storage.tsdb.chunk_encoding.floats) and fixes EncXOR2 chunk snapshot encoding to avoid corruption, plus multiple correctness and performance improvements.
Upgrade notes
- Redirect behaviour change: because credentials are no longer forwarded across hosts on redirects, review scrape and remote_write endpoints that rely on redirects and test authentication paths after upgrading.
- Rollback: the release notes do not include rollback-specific instructions; follow your standard rollback procedure if you need to revert to an earlier Prometheus release or image.
Share comments on your experience with the upgrade or any issues you encounter.


