• Category: Infrastructure
  • Status: confirmed
  • Sources: GitHub release
  • Summary: Prometheus 3.13.0, a Long Term Support release, shipped on 2026-07-01. It bumps sanitize-html to fix a UI cross-site scripting issue (CVE-2026-44990) and, via prometheus/common v0.69.0, stops forwarding credentials (Authorization header, basic auth, bearer token, OAuth2, configured headers) when an HTTP client follows a redirect to a different host, affecting scraping, remote read and write, alerting, and service discovery (CVE-2025-4673, CVE-2023-45289). The API now uses SHA-256 instead of SHA-1 for rule-group pagination tokens, and third-party npm license texts are embedded in the binary at /assets/third-party-licenses.txt.
  • Why it matters: LTS is the version most production deployments pin to, and the redirect credential-forwarding change can alter behavior for setups that relied on cross-host credential reuse.
  • Follow-up: Watch for scrape or remote-write breakage reports tied to the redirect credential change.

Send feedback on this story