RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: CortexClear ×

Cortex

ObservabilityJun 5, 2026

v1.21.1 is a security-focused patch release addressing findings from a formal security audit, including XSS, gzip bomb, and memory amplification vulnerabilities — upgrade immediately.

  • securityUpgrade immediately — multiple audit findings patched

    This release backports fixes from a formal security audit (V01–V07). The vulnerabilities include a stored XSS on status pages, a gzip bomb in the OTLP ingestion path, memory amplification via malformed native histogram payloads, and gossip port exposure to flood/OOM attacks. These are not theoretical — they are exploitable by any client that can reach your Cortex endpoints. Upgrade to v1.21.1 now. After upgrading, review your -distributor.otlp-max-recv-msg-size setting; the default may be too permissive depending on your ingest volume.

  • securityAudit your /config endpoint exposure

    Prior to this release, Swift, etcd, Redis, and HTTP basic-auth credentials were exposed in plaintext on the /config endpoint. If that endpoint was accessible to internal users or scraping systems, treat those credentials as compromised and rotate them. Going forward, restrict /config access via network policy or auth middleware regardless of masking.

  • enhancementHarden memberlist gossip with new bounding flags

    Three new flags (-memberlist.packet-read-timeout, -memberlist.max-packet-size, -memberlist.max-concurrent-connections) cap inbound gossip TCP behavior. The defaults are reasonable, but if your Cortex cluster is exposed to less-trusted network segments or you've seen gossip-related OOM events, tune these explicitly. Add them to your Helm values or config management before the next planned maintenance window.

Key changes (7)
  • Stored XSS fixed in Alertmanager and Store Gateway status pages (text/template replaced with html/template)
  • Gzip decompression now capped by -distributor.otlp-max-recv-msg-size to prevent decompression bomb attacks
  • Native histogram protobuf size limited to 16 KB by default via -validation.max-native-histogram-size-bytes to block memory amplification
  • Memberlist gossip port hardened with new flags for packet read timeout, max packet size, and max concurrent connections
  • Credentials for Swift, etcd, Redis, and HTTP basic-auth are now masked on the /config endpoint
  • PushStream requests with mismatched TenantID are rejected; HMAC-SHA256 stream auth added via -distributor.sign-write-requests-keys
  • Panic fixed when grpc_compression is set to snappy on ingester or store-gateway clients
Source

Cortex

ObservabilityApr 27, 2026

Cortex v1.21.0 graduates several experimental features to stable, fixes multiple PRW2 data corruption and panic bugs, and introduces a new Parquet mode for Store Gateway alongside an Overrides API.

  • breakingAudit and update renamed flags before upgrading

    Several flags were renamed: -experimental.ruler.enable-api → -ruler.enable-api, -experimental.alertmanager.enable-api → -alertmanager.enable-api, -distributor.otlp.enable-type-and-unit-labels is now a no-op (consolidated into -distributor.enable-type-and-unit-labels), and parquet cache flags/configs dropped 'queryable' from their names. The users-scanner cleanup-interval became update-interval. Old flags are deprecated but not removed yet — audit your config files and Helm values now, before they disappear in a future release.

  • breakingPRW2 data corruption and panic fixes require validation of existing pipelines

    Three separate bugs in the Remote Write V2 handler were fixed: shallow copying of Samples/Histograms caused data corruption, dirty sync.Pool reuse caused index-out-of-range panics, and Symbols backing array wasn't cleared on pool return causing memory leaks. If you're using PRW2, treat this upgrade as mandatory. Validate your ingestion pipeline after upgrading and check that downstream metrics are intact.

  • enhancementBucket index is now on by default — verify storage permissions

    The bucket index is enabled by default in this release. If your object storage IAM policies restrict list operations or your Cortex deployment had bucket index disabled intentionally, verify that the bucket index can be written and read correctly post-upgrade. Cortex will generate and maintain the index automatically, but storage permission errors will surface as query failures rather than obvious configuration errors.

Key changes (5)
  • Bucket index enabled by default — disabling it in production is explicitly unsupported
  • Multiple flag and config renames: ruler, alertmanager, users-scanner, and parquet cache config keys have changed
  • PRW2 bugs fixed: data corruption from shallow copying Samples/Histograms, index-out-of-range panics, and memory leaks in sync.Pool reuse
  • New Overrides API module for managing tenant limits via API; old module renamed to overrides-configs
  • Alertmanager upgraded to v0.31.1 with IncidentIO and Mattermost integrations; config disappearance bug on ring unavailability fixed
Source