Change8

v3.11.3

📦 prometheusView on GitHub →
🐛 3 fixes

Summary

This release focuses entirely on addressing multiple critical security vulnerabilities related to AzureAD OAuth secrets, snappy decompression limits, and XSS in the old UI.

🐛 Bug Fixes

  • Fixed AzureAD remote write vulnerability where OAuth client_secret was exposed in plaintext via the /-/config endpoint (CVE-2026-42151).
  • Fixed Remote-read vulnerability by rejecting snappy-compressed requests where the declared decoded length exceeds the decode limit (CVE-2026-42154).
  • Fixed stored XSS vulnerability in the old UI heatmap chart tick labels due to unescaped 'le' label values.