Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.2%top 85%

BIT-prometheus-2026-40179: Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

0
Medium
Published: 07/15/2026 (07/15/2026, 15:58:00 UTC)
Source: GCVE Database
Product: prometheus

Description

Prometheus versions prior to 3.5.2 and between 3.6.0 and before 3.11.2 contain stored cross-site scripting (XSS) vulnerabilities in the web UI. These vulnerabilities arise because metric names and label values are injected into the UI without proper escaping, allowing malicious JavaScript execution in user browsers. The issue affects multiple UI components including chart tooltips and the Metric Explorer fuzzy search. An attacker able to inject metrics via compromised scrape targets or remote write endpoints can exploit this to execute arbitrary scripts. Fixed in versions 3.5.2 and 3.11.2.

Affected software

Bitnamimore threats →ghsa
prometheus
pkg:bitnami/prometheus
Affected versions
<0.305.2>=0.306.0 <0.311.2>=1.0.0 <3.5.2>=3.6.0 <3.11.2

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/16/2026, 14:29:10 UTC

Technical Analysis

Prometheus, an open-source monitoring system, has stored XSS vulnerabilities in its web UI components where metric names and label values are rendered without escaping, specifically in chart tooltips and Metric Explorer fuzzy search results. This occurs because Prometheus v3.x allows UTF-8 characters such as <, >, and " in metric and label names, which are not sanitized before being injected into innerHTML or React's dangerouslySetInnerHTML. Attackers who can inject metrics through compromised scrape targets, remote write, or OTLP receiver endpoints can execute arbitrary JavaScript in the browsers of users viewing these metrics. This can lead to actions such as configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. The vulnerability is fixed in Prometheus versions 3.5.2 and 3.11.2. Workarounds include restricting exposure of remote write and OTLP receivers, ensuring scrape targets are trusted, disabling admin or mutating API endpoints in untrusted environments, and avoiding clicking untrusted links that may generate malicious label names.

Potential Impact

Exploitation allows arbitrary JavaScript execution in the browser of any Prometheus user who views the maliciously crafted metric or label in the web UI. This can lead to sensitive configuration data exfiltration, deletion of monitoring data, or shutdown of the Prometheus server depending on enabled features. The vulnerability requires the attacker to inject metrics via compromised or attacker-controlled scrape targets or remote write/OTLP endpoints.

Mitigation Recommendations

A fix is available in Prometheus versions 3.5.2 and 3.11.2; upgrading to these or later versions is recommended. Until updates can be applied, restrict exposure of the remote write receiver (--web.enable-remote-write-receiver) and OTLP receiver (--web.enable-otlp-receiver) to trusted sources only. Ensure all scrape targets are trusted and not attacker-controlled. Avoid enabling admin or mutating API endpoints such as --web.enable-admin-api or --web.enable-lifecycle in environments where untrusted data may be ingested. Users should also avoid clicking untrusted links that may contain functions like label_replace, which can generate malicious label names and values.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
BIT-prometheus-2026-40179
Osv Schema Version
1.6.2
Aliases
["CVE-2026-40179"]
Ecosystems
["Bitnami"]
Database Specific Severity
Medium
Cvss Version
null

Threat ID: 6a58b51a68715ace43db454b

Added to database: 07/16/2026, 10:40:26 UTC

Last enriched: 07/16/2026, 14:29:10 UTC

Last updated: 07/16/2026, 19:47:31 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses