BIT-prometheus-2026-40179: Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer
Prometheus versions prior to 3.5.2 and between 3.6.0 and before 3.11.2 contain stored cross-site scripting (XSS) vulnerabilities in the web UI. These vulnerabilities arise because metric names and label values are injected into the UI without proper escaping, allowing malicious JavaScript execution in user browsers. The issue affects multiple UI components including chart tooltips and the Metric Explorer fuzzy search. An attacker able to inject metrics via compromised scrape targets or remote write endpoints can exploit this to execute arbitrary scripts. Fixed in versions 3.5.2 and 3.11.2.
AI Analysis
Technical Summary
Prometheus, an open-source monitoring system, has stored XSS vulnerabilities in its web UI components where metric names and label values are rendered without escaping, specifically in chart tooltips and Metric Explorer fuzzy search results. This occurs because Prometheus v3.x allows UTF-8 characters such as <, >, and " in metric and label names, which are not sanitized before being injected into innerHTML or React's dangerouslySetInnerHTML. Attackers who can inject metrics through compromised scrape targets, remote write, or OTLP receiver endpoints can execute arbitrary JavaScript in the browsers of users viewing these metrics. This can lead to actions such as configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. The vulnerability is fixed in Prometheus versions 3.5.2 and 3.11.2. Workarounds include restricting exposure of remote write and OTLP receivers, ensuring scrape targets are trusted, disabling admin or mutating API endpoints in untrusted environments, and avoiding clicking untrusted links that may generate malicious label names.
Potential Impact
Exploitation allows arbitrary JavaScript execution in the browser of any Prometheus user who views the maliciously crafted metric or label in the web UI. This can lead to sensitive configuration data exfiltration, deletion of monitoring data, or shutdown of the Prometheus server depending on enabled features. The vulnerability requires the attacker to inject metrics via compromised or attacker-controlled scrape targets or remote write/OTLP endpoints.
Mitigation Recommendations
A fix is available in Prometheus versions 3.5.2 and 3.11.2; upgrading to these or later versions is recommended. Until updates can be applied, restrict exposure of the remote write receiver (--web.enable-remote-write-receiver) and OTLP receiver (--web.enable-otlp-receiver) to trusted sources only. Ensure all scrape targets are trusted and not attacker-controlled. Avoid enabling admin or mutating API endpoints such as --web.enable-admin-api or --web.enable-lifecycle in environments where untrusted data may be ingested. Users should also avoid clicking untrusted links that may contain functions like label_replace, which can generate malicious label names and values.
BIT-prometheus-2026-40179: Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer
Description
Prometheus versions prior to 3.5.2 and between 3.6.0 and before 3.11.2 contain stored cross-site scripting (XSS) vulnerabilities in the web UI. These vulnerabilities arise because metric names and label values are injected into the UI without proper escaping, allowing malicious JavaScript execution in user browsers. The issue affects multiple UI components including chart tooltips and the Metric Explorer fuzzy search. An attacker able to inject metrics via compromised scrape targets or remote write endpoints can exploit this to execute arbitrary scripts. Fixed in versions 3.5.2 and 3.11.2.
Affected software
pkg:bitnami/prometheusRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Prometheus, an open-source monitoring system, has stored XSS vulnerabilities in its web UI components where metric names and label values are rendered without escaping, specifically in chart tooltips and Metric Explorer fuzzy search results. This occurs because Prometheus v3.x allows UTF-8 characters such as <, >, and " in metric and label names, which are not sanitized before being injected into innerHTML or React's dangerouslySetInnerHTML. Attackers who can inject metrics through compromised scrape targets, remote write, or OTLP receiver endpoints can execute arbitrary JavaScript in the browsers of users viewing these metrics. This can lead to actions such as configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. The vulnerability is fixed in Prometheus versions 3.5.2 and 3.11.2. Workarounds include restricting exposure of remote write and OTLP receivers, ensuring scrape targets are trusted, disabling admin or mutating API endpoints in untrusted environments, and avoiding clicking untrusted links that may generate malicious label names.
Potential Impact
Exploitation allows arbitrary JavaScript execution in the browser of any Prometheus user who views the maliciously crafted metric or label in the web UI. This can lead to sensitive configuration data exfiltration, deletion of monitoring data, or shutdown of the Prometheus server depending on enabled features. The vulnerability requires the attacker to inject metrics via compromised or attacker-controlled scrape targets or remote write/OTLP endpoints.
Mitigation Recommendations
A fix is available in Prometheus versions 3.5.2 and 3.11.2; upgrading to these or later versions is recommended. Until updates can be applied, restrict exposure of the remote write receiver (--web.enable-remote-write-receiver) and OTLP receiver (--web.enable-otlp-receiver) to trusted sources only. Ensure all scrape targets are trusted and not attacker-controlled. Avoid enabling admin or mutating API endpoints such as --web.enable-admin-api or --web.enable-lifecycle in environments where untrusted data may be ingested. Users should also avoid clicking untrusted links that may contain functions like label_replace, which can generate malicious label names and values.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- BIT-prometheus-2026-40179
- Osv Schema Version
- 1.6.2
- Aliases
- ["CVE-2026-40179"]
- Ecosystems
- ["Bitnami"]
- Database Specific Severity
- Medium
- Cvss Version
- null
Threat ID: 6a58b51a68715ace43db454b
Added to database: 07/16/2026, 10:40:26 UTC
Last enriched: 07/16/2026, 14:29:10 UTC
Last updated: 07/16/2026, 19:47:31 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.