Prometheus 3.5.3 LTS and 3.11.3 are available

[Julien Pivotto]

Hello Prometheus community,

Prometheus 3.5.3 LTS and 3.11.3 have been released.

They contain multiple security fixes:

We would like to thank the following people for the responsible disclosures:
- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.
- @iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.

- [SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151
- [SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154
- [SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28

Additionally, 3.5.3 now limits the Remote Write decoded request size to 32MiB, which matches changes made in Prometheus 3.8.1.

You can find more details here: https://github.com/prometheus/prometheus/security/advisories
You can find the full changelogs and download the releases at:

https://github.com/prometheus/prometheus/releases/tag/v3.5.3
https://github.com/prometheus/prometheus/releases/tag/v3.11.3

Container images are also available at
https://quay.io/repository/prometheus/prometheus?tab=tags and
https://hub.docker.com/r/prom/prometheus/tags.

Thank you for your contributions and support in making Prometheus a
better tool for monitoring and alerting.

Best regards,

--
Julien Pivotto
@roidelapluie