Prometheus Changelog

Prometheus — Observability product updates and releases, tracked on megachangelog.

Announcement3.12.0May 29, 2026

Prometheus 3.12.0 — Security fixes, PromQL features, and TSDB performance

This release addresses two security vulnerabilities in remote-write and STACKIT service discovery, introduces new experimental PromQL functions (start, end, range, step) with start timestamp support, and optimizes TSDB performance through constant-time head chunk lookup and improved mmap operations. Includes support for DigitalOcean and Outscale service discovery, new web UI for time series deletion, and numerous bug fixes.

securityperformancepromqlservice-discoverytsdb

Announcement0.312.0May 28, 2026

v0.312.0

release

Announcement0.312.0-rc.0May 28, 2026

v0.312.0-rc.0

Release candidate 0 for version 0.312.0 of Prometheus.

releasercprometheus

Announcement3.12.0-rc.0May 19, 2026

Prometheus 3.12.0-rc.0: Security fixes, PromQL enhancements, and TSDB optimizations

This release addresses two security vulnerabilities (remote-write snappy decompression DoS and STACKIT secret exposure), introduces new PromQL experimental functions and start timestamp support, optimizes TSDB performance with constant-time head chunk lookup, and adds service discovery for DigitalOcean and Outscale along with UI improvements for time series management.

securitypromqltsdbservice-discoveryperformance

Security3.11.3Apr 27, 2026

3.11.3 — Multiple security issues fixed

This release addresses three critical security vulnerabilities: an OAuth client_secret exposure in AzureAD remote write configuration, a snappy-compressed request handling issue in remote-read, and a stored XSS vulnerability in the old UI heatmap chart. All issues have been patched and coordinated disclosure credits have been provided.

securityvulnerabilityoauthxsscve

Security3.5.3Apr 27, 2026

Security release: OAuth, snappy decode, and XSS fixes

This release addresses four security vulnerabilities: AzureAD OAuth client_secret exposure in config endpoint, snappy decompression limits in remote-write/read, and a stored XSS in the legacy UI heatmap charts. All issues have been responsibly disclosed and assigned CVE identifiers.

securityoauthxssremote-writeremote-read

Announcement0.311.3Apr 27, 2026

Prometheus v0.311.3

Version 0.311.3 of Prometheus released with general maintenance and stability updates.

prometheusreleasemonitoring

Update0.305.3Apr 27, 2026

Version 0.305.3

A patch release with bug fixes and stability improvements.

releasepatchstability

Security3.11.2Apr 13, 2026

Prometheus 3.11.2

This release fixes a stored XSS vulnerability in the Prometheus web UI that could be triggered via crafted metric names and label values in tooltips and the metrics explorer. It also adds a health_filter field to Consul SD for Health API filtering and fixes a bug where the filter parameter was incorrectly applied.

securityxssuiconsulbugfix

Security3.5.2Apr 13, 2026

Fix stored XSS via unescaped metric names and labels in web UI

This release patches a stored XSS vulnerability (CVE-2026-40179) that could be triggered through crafted metric names and label values in the Prometheus web UI tooltips and metrics explorer. Additionally, regex performance is improved by removing unnecessary Simplify calls.

securityxssuicveperformance