v3.11.3
📦 prometheusView on GitHub →
🐛 3 fixes
Summary
This release focuses entirely on addressing multiple critical security vulnerabilities related to AzureAD OAuth secrets, snappy decompression limits, and XSS in the old UI.
🐛 Bug Fixes
- Fixed AzureAD remote write vulnerability where OAuth client_secret was exposed in plaintext via the /-/config endpoint (CVE-2026-42151).
- Fixed Remote-read vulnerability by rejecting snappy-compressed requests where the declared decoded length exceeds the decode limit (CVE-2026-42154).
- Fixed stored XSS vulnerability in the old UI heatmap chart tick labels due to unescaped 'le' label values.