CVE-2026-40179
Stored Cross-Site Scripting in Prometheus Web UI Components
Publication date: 2026-04-15
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prometheus | prometheus | From 3.0.0 (inc) to 3.5.2 (exc) |
| prometheus | prometheus | From 3.6.0 (inc) to 3.11.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Prometheus versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1. It is a cross-site scripting (XSS) issue in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without proper escaping or sanitization.
Specifically, in both the Mantine UI and the old React UI, chart tooltips on the Graph page render metric names containing HTML or JavaScript without sanitization. Additionally, in the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate label values without sanitization.
Because Prometheus v3.x allows characters like <, >, and " in metric names and labels by default, an attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI.
This can potentially enable actions such as configuration exfiltration, data deletion, or shutting down Prometheus depending on enabled flags.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary JavaScript in the browser of any Prometheus user who views the malicious metric in the Graph UI. This could potentially lead to configuration exfiltration, data deletion, or Prometheus shutdown.
Such unauthorized access and manipulation of monitoring data and configurations could impact compliance with standards and regulations that require data integrity, confidentiality, and protection against unauthorized access, such as GDPR and HIPAA.
However, the provided information does not explicitly describe the direct impact on compliance with these standards.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to execute arbitrary JavaScript code in the browser of any Prometheus user who views the affected metrics in the Graph UI.
- Configuration exfiltration: Attackers may steal sensitive configuration data.
- Data deletion: Attackers may delete monitoring data.
- Prometheus shutdown: Attackers may cause the Prometheus service to shut down depending on enabled flags.
Overall, this can lead to compromised monitoring integrity, loss of critical data, and potential disruption of monitoring services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources.
Verify that all scrape targets are trusted and not under attacker control.
Avoid enabling admin or mutating API endpoints such as --web.enable-admin-api or --web.enable-lifecycle in environments where untrusted data may be ingested.
Refrain from clicking untrusted links, especially those containing functions like label_replace, as they may generate poisoned label names and values.
Ultimately, update Prometheus to versions 3.5.2 or 3.11.2 where this issue has been fixed.