3.11.3 — Multiple security issues fixed
This release addresses three critical security vulnerabilities: an OAuth client_secret exposure in AzureAD remote write configuration, a snappy-compressed request handling issue in remote-read, and a stored XSS vulnerability in the old UI heatmap chart. All issues have been patched and coordinated disclosure credits have been provided.
This release fixes mutiple security issues.
We would like to thank the following people for the responsible disclosures:
-
Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
-
Brett Gervasoni for the AzureAD OAuth
client_secretvulnerability. -
[SECURITY] AzureAD remote write: Fix OAuth
client_secretbeing exposed in plaintext via/-/configendpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18590 -
[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18584
-
[SECURITY] UI: Fix stored XSS via unescaped
lelabel values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18588
Source: original entry ↗