Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN467 _____________________________________________________________________ DATE : 06/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Prometheus versions prior to 3.5.3, 3.11.3. ===================================================================== https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28 _____________________________________________________________________ Remote read endpoint allows denial of service via crafted snappy payload High roidelapluie published GHSA-8rm2-7qqf-34qm Apr 27, 2026 Package Prometheus Affected versions < 3.5.3 ; >= 3.6.0 and <3.11.3 Patched versions 3.5.3 and 3.11.3 Description Impact The remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. Patches Has the problem been patched? What versions should users upgrade to? Fixed in 3.11.3 and 3.5.3 LTS. Users should upgrade to these versions or later. Workarounds User who can not upgrade can place Prometheus behind a reverse proxy or firewall that requires authentication before requests reach /api/v1/read. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2026-42154 Weaknesses Weakness CWE-400 Weakness CWE-789 Credits @ShadowByte1 ShadowByte1 Reporter _____________________________________________________________________ Prometheus Azure AD remote write OAuth client secret exposed via config API High roidelapluie published GHSA-wg65-39gg-5wfj Apr 27, 2026 Package prometheus Affected versions >= 2.48.0 and < 3.5.3 ; >= 3.6.0 and <3.11.3 Patched versions 3.5.3 and 3.11.3 Description Impact Users who use Azure AD remote write with OAuth authentication are impacted. The client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. Patches The problem has been patched by changing ClientSecret in OAuthConfig to Secret. Users should upgrade to 3.11.3 or 3.5.3 LTS. Workarounds Users who can not upgrade can switch to Managed Identity or Workload Identity authentication for Azure AD remote write, which do not involve a client secret. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE ID CVE-2026-42151 Weaknesses Weakness CWE-200 Weakness CWE-312 Credits @brettgervasoni brettgervasoni Reporter _____________________________________________________________________ Stored XSS via crafted histogram bucket label values in the heatmap display of the old Prometheus web UI Moderate roidelapluie published GHSA-fw8g-cg8f-9j28 Apr 27, 2026 Package prometheus Affected versions >= 2.49.0 Patched versions 3.5.3 and 3.11.3 Description Impact In the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics (e.g. via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. From the XSS context, an attacker could for example: Read /api/v1/status/config to extract sensitive configuration (although credentials / secrets are redacted by the server) Call /-/quit to shut down Prometheus (only if --web.enable-lifecycle is set) Call /api/v1/admin/tsdb/delete_series to delete data (only if --web.enable-admin-api is set) Exfiltrate metric data to an external server Note that this only affects users who have explicitly enabled the legacy Prometheus web UI using the --enable-feature=old-ui command-line flag. Patches 38f23b9 Workarounds If at all possible, disable the legacy web UI by removing the --enable-feature=old-ui command-line flag). If this is not an option, take the following precautions: If using the remote write receiver (--web.enable-remote-write-receiver), ensure it is not exposed to untrusted sources. If using the OTLP receiver (--web.enable-otlp-receiver), ensure it is not exposed to untrusted sources. Ensure scrape targets are trusted and not under attacker control. Do not enable admin / mutating API endpoints (e.g. --web.enable-admin-api or web.enable-lifecycle) in cases where you cannot prevent untrusted data from being ingested. Users should avoid clicking untrusted links, especially those containing functions such as label_replace, as they may generate poisoned label names and values. References CVE-2019-10215 — prior stored DOM XSS vulnerability in Prometheus query history, fixed in v2.7.2 CVE-2026-40179 — prior stored DOM XSS vulnerability in Prometheus web UI (hover tooltips and metrics explorer), fixed in v3.11.2 Severity Moderate CVE ID No known CVE Weaknesses Weakness CWE-79 Credits @iiihaiii iiihaiii Reporter @ngocnn97 ngocnn97 Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================