Prometheus The Prometheus monitoring system and time series database.
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Prometheus product.
Products by Prometheus Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2025 there have been 0 vulnerabilities in Prometheus. Prometheus did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 2 | 6.45 |
| 2022 | 2 | 8.15 |
| 2021 | 1 | 6.10 |
| 2020 | 1 | 5.80 |
| 2019 | 1 | 6.10 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Prometheus vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Prometheus Security Vulnerabilities
Alertmanager handles alerts sent by client applications such as the Prometheus server
CVE-2023-40577
5.4 - Medium
- August 25, 2023
Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.
XSS
blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface
CVE-2023-26735
7.5 - High
- April 26, 2023
blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources. NOTE: this is disputed by third parties because authentication can be configured.
SSRF
Prometheus Exporter Toolkit is a utility package to build exporters
CVE-2022-46146
8.8 - High
- November 29, 2022
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
authentification
client_golang is the instrumentation library for Go applications in Prometheus
CVE-2022-21698
7.5 - High
- February 15, 2022
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Allocation of Resources Without Limits or Throttling
Prometheus is an open-source monitoring system and time series database
CVE-2021-29622
6.1 - Medium
- May 19, 2021
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
Open Redirect
Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF
CVE-2020-16248
5.8 - Medium
- August 09, 2020
Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability
SSRF
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1
CVE-2019-3826
6.1 - Medium
- March 26, 2019
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.
XSS