Security3.5.3
Security release: OAuth, snappy decode, and XSS fixes
This release addresses four security vulnerabilities: AzureAD OAuth client_secret exposure in config endpoint, snappy decompression limits in remote-write/read, and a stored XSS in the legacy UI heatmap charts. All issues have been responsibly disclosed and assigned CVE identifiers.
This release fixes mutiple security issues.
We would like to thank the following people for the responsible disclosures:
- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
- Brett Gervasoni for the AzureAD OAuth
client_secretvulnerability. - @iiihaiii and @ngocnn97 for the Old UI XSS vulnerability.
- [SECURITY] AzureAD remote write: Fix OAuth
client_secretbeing exposed in plaintext via/-/configendpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18587 - [SECURITY] Remote-Write: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. #18591
- [SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18585
- [SECURITY] UI: Fix stored XSS via unescaped
lelabel values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18589
securityoauthxssremote-writeremote-readui
Source: original entry ↗