Infrastructure
Prometheus 3.13.0 LTS ships security fixes
- Category: Infrastructure
- Status: confirmed
- Sources: GitHub release
- Summary: Prometheus 3.13.0, a Long Term Support release, shipped on 2026-07-01. It bumps
sanitize-htmlto fix a UI cross-site scripting issue (CVE-2026-44990) and, via prometheus/common v0.69.0, stops forwarding credentials (Authorization header, basic auth, bearer token, OAuth2, configured headers) when an HTTP client follows a redirect to a different host, affecting scraping, remote read and write, alerting, and service discovery (CVE-2025-4673, CVE-2023-45289). The API now uses SHA-256 instead of SHA-1 for rule-group pagination tokens, and third-party npm license texts are embedded in the binary at/assets/third-party-licenses.txt. - Why it matters: LTS is the version most production deployments pin to, and the redirect credential-forwarding change can alter behavior for setups that relied on cross-host credential reuse.
- Follow-up: Watch for scrape or remote-write breakage reports tied to the redirect credential change.