Prometheus
v3.5.4ObservabilityPrometheus v3.5.4 is a security-focused patch: fixes a secret-exposure bug in STACKIT SD and bumps several Go/UI dependencies to patch known CVEs. Upgrade promptly.
securityRotate STACKIT SD credentials if you use that SD
The /-/config endpoint was exposing STACKIT service discovery secrets in plaintext. If your Prometheus instance uses STACKIT SD and /-/config was reachable by anyone other than admins, assume those credentials are compromised and rotate them. Upgrade to v3.5.4 immediately, then restrict access to /-/config behind authentication.
securityUpgrade to patch three Go CVEs in golang.org/x/net and OpenTelemetry
GO-2026-5026, GO-2026-4918, and GO-2026-4985 are addressed by bumping golang.org/x/net to v0.55.0 and OpenTelemetry to v1.43.0. If you run Prometheus exposed to untrusted network traffic, this upgrade should not wait for your next maintenance window.
enhancementghcr.io image publishing available as an alternative pull source
Prometheus images are now also on ghcr.io. If your environment has rate-limit or access issues with Docker Hub, you can switch your image pull source to ghcr.io/prometheus/prometheus without waiting for a feature release.
主な変更 (4)
- STACKIT SD leaked secrets in plaintext via /-/config endpoint (GHSA-39j6-789q-qxvh) — now fixed
- golang.org/x/net and OpenTelemetry bumped to patch GO-2026-5026, GO-2026-4918, GO-2026-4985
- UI dependencies (react-router-dom, vite, vitest, postcss) updated to patched versions
- Container images now published to ghcr.io in addition to existing registries