fix(deps): update module github.com/prometheus/prometheus to v0.311.3 [security] (main)

[anaconda-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/prometheus/prometheus	v0.304.2 → v0.311.3
github.com/prometheus/prometheus	v0.55.0 → v0.311.3
github.com/prometheus/prometheus	v0.302.1 → v0.311.3

---

Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer

BIT-prometheus-2026-40179 / CVE-2026-40179 / GHSA-vffh-x6r8-xx99

More information

Details

Impact

Stored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:

• Old React UI + New Mantine UI: When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected into innerHTML without escaping, causing arbitrary script execution in the user's browser.
• Old React UI only: When a user opens the Metric Explorer (globe icon next to the PromQL expression input field), and a metric name containing HTML/JavaScript is rendered in the fuzzy search results, it is injected into innerHTML without escaping, causing arbitrary script execution in the user's browser.
• Old React UI only: When a user views a heatmap chart and hovers over a cell, the le label values of the underlying histogram buckets are interpolated into innerHTML without escaping. While le is conventionally a numeric bucket boundary, Prometheus does not enforce this — arbitrary UTF-8 strings are accepted as label values, allowing script injection via a crafted scrape target or remote write.

With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like <, >, and " are now valid in metric names and labels, making this exploitable.

An attacker who can inject metrics (via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the Graph UI. From the XSS context, an attacker could for example:

• Read /api/v1/status/config to extract sensitive configuration (although credentials / secrets are redacted by the server)
• Call /-/quit to shut down Prometheus (only if --web.enable-lifecycle is set)
• Call /api/v1/admin/tsdb/delete_series to delete data (only if --web.enable-admin-api is set)
• Exfiltrate metric data to an external server

Both the new Mantine UI and the old React UI are affected. The vulnerable code paths are:

• web/ui/mantine-ui/src/pages/query/uPlotChartHelpers.ts — tooltip innerHTML with unescaped labels.__name__
• web/ui/react-app/src/pages/graph/GraphHelpers.ts — tooltip content with unescaped labels.__name__
• web/ui/react-app/src/pages/graph/MetricsExplorer.tsx — fuzzy search results rendered via dangerouslySetInnerHTML without sanitization
• web/ui/react-app/src/vendor/flot/jquery.flot.heatmap.js — heatmap tooltip with unescaped label values

Patches

A patch has been published in Prometheus 3.5.2 LTS and Prometheus 3.11.2. The fix applies escapeHTML() to all user-controlled values (metric names and label values) before inserting them into innerHTML. This advisory will be updated with the patched version once released.

Workarounds

• If using the remote write receiver (--web.enable-remote-write-receiver), ensure it is not exposed to untrusted sources.
• If using the OTLP receiver (--web.enable-otlp-receiver), ensure it is not exposed to untrusted sources.
• Ensure scrape targets are trusted and not under attacker control.
• Do not enable admin / mutating API endpoints (e.g. --web.enable-admin-api or web.enable-lifecycle) in cases where you cannot prevent untrusted data from being ingested.
• Users should avoid clicking untrusted links, especially those containing functions such as label_replace, as they may generate poisoned label names and values.

Acknowledgements

Thanks to @​gladiator9797 (Duc Anh Nguyen from TinyxLab) for reporting this.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99
• https://nvd.nist.gov/vuln/detail/CVE-2026-40179
• https://github.com/prometheus/prometheus/pull/18506
• https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c
• https://github.com/prometheus/prometheus

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Prometheus: Remote read endpoint allows denial of service via crafted snappy payload

BIT-prometheus-2026-42154 / CVE-2026-42154 / GHSA-8rm2-7qqf-34qm

More information

Details

Impact

The remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory.
An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process.

Patches

Has the problem been patched? What versions should users upgrade to?

Fixed in 3.11.3 and 3.5.3 LTS. Users should upgrade to these versions or later.

Workarounds

User who can not upgrade can place Prometheus behind a reverse proxy or firewall that requires authentication before requests reach /api/v1/read.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm
• https://nvd.nist.gov/vuln/detail/CVE-2026-42154
• https://github.com/prometheus/prometheus/pull/18584
• https://github.com/prometheus/prometheus/pull/18585
• https://github.com/prometheus/prometheus
• https://github.com/prometheus/prometheus/releases/tag/v3.11.3
• https://github.com/prometheus/prometheus/releases/tag/v3.5.3

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display

BIT-prometheus-2026-44903 / CVE-2026-44903 / GHSA-fw8g-cg8f-9j28

More information

Details

Impact

In the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels.

An attacker who can inject crafted metrics (e.g. via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. From the XSS context, an attacker could for example:

• Read /api/v1/status/config to extract sensitive configuration (although credentials / secrets are redacted by the server)
• Call /-/quit to shut down Prometheus (only if --web.enable-lifecycle is set)
• Call /api/v1/admin/tsdb/delete_series to delete data (only if --web.enable-admin-api is set)
• Exfiltrate metric data to an external server

Note that this only affects users who have explicitly enabled the legacy Prometheus web UI using the --enable-feature=old-ui command-line flag.

Patches

prometheus/prometheus@38f23b9

Workarounds

If at all possible, disable the legacy web UI by removing the --enable-feature=old-ui command-line flag).

If this is not an option, take the following precautions:

• If using the remote write receiver (--web.enable-remote-write-receiver), ensure it is not exposed to untrusted sources.
• If using the OTLP receiver (--web.enable-otlp-receiver), ensure it is not exposed to untrusted sources.
• Ensure scrape targets are trusted and not under attacker control.
• Do not enable admin / mutating API endpoints (e.g. --web.enable-admin-api or web.enable-lifecycle) in cases where you cannot prevent untrusted data from being ingested.
• Users should avoid clicking untrusted links, especially those containing functions such as label_replace, as they may generate poisoned label names and values.

References

• CVE-2019-10215 — prior stored DOM XSS vulnerability in Prometheus query history, fixed in v2.7.2
• CVE-2026-40179 — prior stored DOM XSS vulnerability in Prometheus web UI (hover tooltips and metrics explorer), fixed in v3.11.2

Severity

Moderate

References

• https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28
• https://github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d
• https://github.com/prometheus/prometheus

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Prometheus Azure AD remote write OAuth client secret exposed via config API

BIT-prometheus-2026-42151 / CVE-2026-42151 / GHSA-wg65-39gg-5wfj

More information

Details

Impact

Users who use Azure AD remote write with OAuth authentication are impacted.

The client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint.

Patches

The problem has been patched by changing ClientSecret in OAuthConfig to Secret. Users should upgrade to 3.11.3 or 3.5.3 LTS.

Workarounds

Users who can not upgrade can switch to Managed Identity or Workload Identity authentication for Azure AD remote write, which do not involve a client secret.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj
• https://nvd.nist.gov/vuln/detail/CVE-2026-42151
• https://github.com/prometheus/prometheus/pull/18587
• https://github.com/prometheus/prometheus/pull/18590
• https://github.com/prometheus/prometheus
• https://github.com/prometheus/prometheus/releases/tag/v3.11.3
• https://github.com/prometheus/prometheus/releases/tag/v3.5.3

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

prometheus/prometheus (github.com/prometheus/prometheus)

v0.311.3

Compare Source

v0.311.2

Compare Source

v0.311.1

Compare Source

v0.311.0

Compare Source

v0.310.0

Compare Source

v0.309.1

Compare Source

v0.309.0

Compare Source

v0.308.1

Compare Source

v0.308.0

Compare Source

v0.307.3

Compare Source

v0.307.2

Compare Source

v0.307.1

Compare Source

v0.307.0

Compare Source

v0.306.0

Compare Source

v0.305.3

Compare Source

v0.305.2

Compare Source

v0.305.1

Compare Source

v0.305.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[anaconda-renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: cmd/segment-inspect/go.sum

Command failed: go get -t ./...
go: module github.com/prometheus/prometheus@v0.311.3 requires go >= 1.25.0; switching to go1.25.11
go: downloading github.com/grafana/loki/v3 v3.5.2
go: github.com/grafana/loki/v3@v3.7.2 requires go >= 1.26.2 (running go 1.25.11)

File name: operator/go.sum

Command failed: go get -t ./...
go: module github.com/prometheus/prometheus@v0.311.3 requires go >= 1.25.0; switching to go1.25.11
warning: ignoring symlink /tmp/renovate/repos/github/anaconda/loki/operator/website/content/docs
go: downloading k8s.io/apimachinery v0.35.3
go: downloading k8s.io/client-go v0.35.3
go: downloading k8s.io/api v0.35.3
go: downloading sigs.k8s.io/yaml v1.6.0
go: downloading k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
go: downloading github.com/grafana/loki/v3 v3.4.3
go: downloading k8s.io/klog/v2 v2.140.0
go: downloading k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
go: downloading sigs.k8s.io/structured-merge-diff/v6 v6.3.0
go: downloading sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
go: downloading github.com/google/gnostic-models v0.7.0
go: downloading github.com/spf13/pflag v1.0.10
go: downloading github.com/fxamacker/cbor/v2 v2.9.0
go: downloading gopkg.in/evanphx/json-patch.v4 v4.13.0
go: downloading go.yaml.in/yaml/v3 v3.0.4
go: downloading github.com/go-openapi/jsonreference v0.21.4
go: downloading github.com/go-openapi/swag v0.25.4
go: downloading github.com/emicklei/go-restful/v3 v3.12.2
go: downloading github.com/go-openapi/jsonpointer v0.22.5
go: downloading github.com/go-openapi/swag/cmdutils v0.25.4
go: downloading github.com/go-openapi/swag/yamlutils v0.25.4
go: downloading github.com/go-openapi/swag/jsonutils v0.25.4
go: downloading github.com/go-openapi/swag/loading v0.25.4
go: downloading github.com/go-openapi/swag/netutils v0.25.4
go: downloading github.com/go-openapi/swag/stringutils v0.25.4
go: downloading github.com/go-openapi/swag/mangling v0.25.4
go: downloading github.com/go-openapi/swag/typeutils v0.25.4
go: downloading github.com/go-openapi/swag/fileutils v0.25.4
go: downloading github.com/go-openapi/swag/jsonname v0.25.5
go: downloading github.com/go-openapi/swag/conv v0.25.4
go: downloading github.com/grafana/loki/pkg/push v0.0.0-20240924133635-758364c7775f
go: downloading github.com/grafana/dskit v0.0.0-20241007172036-53283a0f6b41
go: downloading dario.cat/mergo v1.0.1
go: downloading github.com/Masterminds/semver/v3 v3.4.0
go: downloading github.com/spf13/cast v1.7.0
go: downloading github.com/grafana/gomemcache v0.0.0-20240229205252-cd6a66d6fb56
go: downloading github.com/redis/go-redis/v9 v9.7.3
go: downloading github.com/hashicorp/memberlist v0.5.1
go: downloading go.etcd.io/etcd/api/v3 v3.5.16
go: downloading github.com/opentracing-contrib/go-grpc v0.1.1
go: downloading github.com/sercand/kuberesolver/v5 v5.1.1
go: downloading github.com/miekg/dns v1.1.72
go: downloading go.uber.org/zap v1.27.1
go: downloading github.com/hashicorp/serf v0.10.1
go: downloading github.com/hashicorp/go-msgpack/v2 v2.1.1
go: downloading github.com/prometheus/prometheus v0.312.0
go: github.com/grafana/loki/operator/internal/validation imports
	github.com/grafana/loki/v3/pkg/logql/syntax imports
	github.com/grafana/loki/v3/pkg/logql/log imports
	github.com/prometheus/prometheus/storage/remote/otlptranslator/prometheus: cannot find module providing package github.com/prometheus/prometheus/storage/remote/otlptranslator/prometheus
go: github.com/grafana/loki/operator/internal/validation imports
	github.com/grafana/loki/v3/pkg/logql/syntax imports
	github.com/grafana/loki/v3/pkg/util imports
	github.com/prometheus/prometheus/tsdb/errors: cannot find module providing package github.com/prometheus/prometheus/tsdb/errors

File name: tools/lambda-promtail/go.sum

Command failed: go get -t ./...
go: module github.com/prometheus/prometheus@v0.311.3 requires go >= 1.25.0; switching to go1.25.11
go: downloading github.com/aws/aws-sdk-go-v2/config v1.32.12
go: downloading github.com/aws/aws-sdk-go-v2 v1.41.4
go: downloading go.opentelemetry.io/otel/sdk/metric v1.42.0
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.19.12
go: downloading github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.30.13
go: downloading github.com/aws/aws-sdk-go-v2/service/signin v1.0.8
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.41.9
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20
go: main/lambda-promtail imports
	github.com/grafana/loki/v3/pkg/logproto imports
	github.com/grafana/loki/v3/pkg/storage/stores/shipper/indexshipper/tsdb/index imports
	github.com/prometheus/prometheus/tsdb/errors: cannot find module providing package github.com/prometheus/prometheus/tsdb/errors