PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44903 prometheus CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in Prometheus's legacy web UI when the `--enable-feature=old-ui` flag is enabled. The histogram heatmap chart view fails to escape `le` (less than or equal) label values when rendering them as axis tick mark labels in HTML. An attacker with the ability to inject crafted metrics can execute arbitrary JavaScript in the browser of any Prometheus user who views the affected metric in the heatmap chart UI. The vulnerability affects versions 2.49.0 through 3.5.2 and 3.6.0 through 3.11.2.

Vendor
prometheus
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations running Prometheus monitoring infrastructure with the legacy web UI enabled; security teams responsible for observability platform hardening; DevOps/SRE teams managing Prometheus deployments; users who rely on histogram visualizations in the Prometheus web interface

Technical summary

The vulnerability stems from improper HTML escaping of `le` label values in the Prometheus legacy web UI's histogram heatmap chart rendering. The `le` label is a standard Prometheus histogram bucket boundary label. When these values are inserted into the DOM as axis tick mark labels without proper sanitization, attacker-controlled JavaScript can execute in the victim's browser context. This is a stored XSS variant where the payload resides in time-series data rather than traditional persistent storage. The attack requires: (1) the legacy UI feature flag enabled, (2) attacker capability to inject metrics with malicious `le` labels, and (3) victim interaction (viewing the heatmap chart). The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and user interaction required, with low impacts to confidentiality and integrity of the security scope.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Prometheus to version 3.5.3 or 3.11.3 or later
  • If using the legacy web UI (`--enable-feature=old-ui`), prioritize patching as this feature is specifically affected
  • If immediate patching is not possible, consider disabling the legacy web UI by removing the `--enable-feature=old-ui` flag
  • Review and sanitize metric sources to prevent injection of crafted label values
  • Monitor for suspicious metrics with unusual `le` label values in histogram data

Evidence notes

The vulnerability is confirmed by the official GitHub Security Advisory GHSA-fw8g-cg8f-9j28 and a corresponding commit (38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d) that implements the fix. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).

Official resources

2026-05-26