Prometheus 3.12.0: STACKIT secret leak and decompression DoS fixed

Prometheus 3.12.0 shipped on May 28, 2026, with two security fixes alongside a batch of new features.

Secret leak in STACKIT service discovery (GHSA-39j6-789q-qxvh)

If you use STACKIT service discovery, your service_account_key and private_key fields were exposed in plaintext through the /-/config HTTP endpoint.

The root cause: both fields were typed as plain string in the configuration struct instead of config.Secret. Prometheus only redacts fields of type Secret when serving the config endpoint, so these credentials passed through without masking.

What it takes to exploit this: network access to the Prometheus port is sufficient. By default Prometheus does not require authentication on /-/config. No special permissions or interaction are required beyond being able to reach the port.

Who is affected: only installations using STACKIT service discovery with credentials set. If you do not use STACKIT SD, this does not apply to you.

Temporary mitigation if you cannot upgrade immediately: put Prometheus behind a reverse proxy that requires authentication, and block direct access to the port from untrusted networks. Alternatively, restrict access to /-/config at the network level.

Decompression bomb DoS in remote write receivers

The remote write receiver endpoint did not validate the declared decoded length in snappy-compressed request bodies before allocating memory. An unauthenticated sender could submit a small payload with a very large declared size, triggering a heap allocation that exhausts available memory.

The fix caps decompressed length at 32 MB per request. This only affects nodes running with --web.enable-remote-write-receiver, not standard Prometheus instances that only scrape targets.

Temporary mitigation: place the remote write receiver behind a reverse proxy or firewall that requires authentication before requests reach the endpoint.

What to do

Upgrade to 3.12.0. There is no patch on the 3.11.x or 3.5.x LTS branches for the STACKIT issue specifically -- it was addressed in the 3.12.0 release.

After upgrading, rotate any STACKIT service_account_key and private_key credentials that were configured while running an affected version, since they may have been read by anyone with access to the /-/config endpoint.

Other changes in 3.12.0

• New experimental PromQL functions: start(), end(), range(), and step()
• Web UI for deleting time series and cleaning tombstones (Status menu)
• TSDB head chunk lookup changed from quadratic to constant time in range queries
• DigitalOcean Managed Databases and Outscale VM service discovery added

Sources

• Release notes: github.com/prometheus/prometheus/releases/tag/v3.12.0
• STACKIT secret leak advisory: github.com/advisories/GHSA-39j6-789q-qxvh