LoginSign Up
← Back to all sparks
Prometheus logo

Prometheus

DEVOPS
Velocity3.8

Monitoring system

prometheus.io

Prometheus enters 3.12 RC while running a coordinated security backport across the 3.5 LTS line.

security disclosureslts maintenancepromqlservice discoverytsdb performance
Current state
Prometheus published a 3.12.0 release candidate with PromQL and Service Discovery additions, TSDB performance work, and security fixes for a remote-write denial-of-service and a STAC secret leak. In the same window, 3.11.3 and 3.5.3 shipped coordinated security fixes for snappy decoding, AzureAD client_secret handling, and an old-UI XSS, and the prior 3.11.2/3.5.2 pair fixed a metric-name XSS in the web UI. The project is clearly maintaining 3.5 as a long-term branch alongside the active 3.x line.
Where it's heading
Cadence is dominated by responsible-disclosure security work, with feature additions concentrated in the upcoming 3.12 release. The fact that 3.5 keeps receiving coordinated backports months after 3.11 suggests Prometheus is informally treating 3.5 as a stable LTS for environments that cannot upgrade quickly.
Prediction
Expect 3.12.0 to ship final within a few weeks given the RC has already landed, and a 3.5.4 backport to follow the next security disclosure rather than the next feature batch.

Recent moves

  1. 2d ago

    Prometheus 3.12.0-rc.0 — PromQL/SD features plus security fixes

    3.12.0-rc.0 carries new PromQL and Service Discovery features, TSDB performance work, Start Timestamp refinements, and patches for a remote-write snappy DoS plus a STAC secret leak. Feature-bearing RC after months of mostly security-driven point releases.

    View source ↗
  2. 23d ago

    Prometheus 3.11.3 — coordinated security fixes

    3.11.3 lands three coordinated security fixes: Remote-Read snappy decode, AzureAD OAuth client_secret handling, and an Old UI XSS. Released in lockstep with the 3.5.3 LTS backport.

    View source ↗
  3. 23d ago

    Prometheus 3.5.3 LTS — security backport of 3.11.3 fixes

    3.5.3 ports the same disclosure set (snappy decode, AzureAD secret, Old UI XSS) into the 3.5 LTS line. Confirms 3.5 is being maintained on the same disclosure timeline as the active branch.

    View source ↗
  4. 1mo ago

    Prometheus 3.11.2 — fix CVE-2026-40179 (web UI XSS)

    3.11.2 patches CVE-2026-40179, a stored XSS via crafted metric names and label values in the web UI, and adds a health_filter field for Consul Service Discovery. Security-driven release with one minor enhancement.

    View source ↗
  5. 1mo ago

    Prometheus 3.5.2 LTS — XSS fix backport plus regex perf

    3.5.2 backports the CVE-2026-40179 fix into the 3.5 LTS line and includes a regex performance tweak. Demonstrates the dual-line maintenance pattern.

    View source ↗
  6. 1mo ago

    Feed-scrape error entry (no content)

    Entry contents are a scraped GitHub error page rather than a real release note. Treat as a feed glitch — ignore.

    View source ↗