SB20260428200 - Multiple vulnerabilities in prometheus

Description

This security bulletin contains information about 3 vulnerabilities.

1) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary JavaScript in the browser of a Prometheus user.

The vulnerability exists due to cross-site scripting in the histogram heatmap chart view of the legacy Prometheus web UI when rendering crafted histogram bucket label values in axis tick mark labels. A remote attacker can inject crafted metrics to execute arbitrary JavaScript in the browser of a Prometheus user.

Only instances with the legacy web UI enabled via the --enable-feature=old-ui flag are vulnerable.

2) Information disclosure (CVE-ID: CVE-2026-42151)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the /-/config HTTP API endpoint when serving the Azure AD remote write OAuth configuration. A remote attacker can access the endpoint to disclose sensitive information.

Only deployments using Azure AD remote write with OAuth authentication are affected.

3) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-42154)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to memory allocation with excessive size value in the remote read endpoint (/api/v1/read) when processing snappy-compressed request bodies. A remote attacker can send a specially crafted request body to cause a denial of service.

Concurrent exploitation can exhaust available memory and crash the Prometheus process.

Remediation

Install update from vendor's website.

References

• https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28
• https://github.com/advisories/GHSA-fw8g-cg8f-9j28
• https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj
• https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm