Infrastructure
Prometheus 3.5.4 LTS patches a plaintext secret-exposure flaw
- Category: Infrastructure
- Status: confirmed
- Sources: Prometheus v3.5.4 release
- Summary: Prometheus released v3.5.4 on 2026-06-17, a backported security patch on the 3.5 LTS line. It fixes GHSA-39j6-789q-qxvh, where secrets were exposed in plaintext through the /-/config endpoint in STACKIT service discovery, and bumps golang.org/x/net to v0.55.0 and OpenTelemetry to v1.43.0 to address Go advisories GO-2026-5026, GO-2026-4918, and GO-2026-4985, plus UI dependency updates. Container images are now also published to ghcr.io. The advisory carries no CVE id or stated CVSS score at release.
- Why it matters: Operators running STACKIT service discovery on a 3.5 LTS Prometheus could leak credentials through an exposed config endpoint, so the LTS upgrade is a direct fix.
- Follow-up: Track a CVE assignment and severity for the STACKIT service-discovery secret exposure.