CVE-2026-44903 Overview
CVE-2026-44903 is a stored cross-site scripting (XSS) vulnerability in the Prometheus open-source monitoring system and time series database. The flaw exists in the legacy web UI heatmap chart view, which is enabled with the command-line flag --enable-feature=old-ui. The chart fails to escape le label values before inserting them into HTML used for axis tick mark labels. An attacker who can inject crafted metrics can execute arbitrary JavaScript in the browser of any Prometheus user viewing the metric in the heatmap chart. The issue affects versions from 2.49.0 up to (but not including) 3.5.3 and 3.11.3.
Critical Impact
Attackers with metric injection capability can run arbitrary JavaScript in the browsers of Prometheus operators, enabling session theft, UI manipulation, and lateral access into monitoring infrastructure.
Affected Products
- Prometheus server versions 2.49.0 through 3.5.2 (legacy UI enabled)
- Prometheus server 3.x branch prior to 3.5.3
- Prometheus server 3.11.x branch prior to 3.11.3
Discovery Timeline
- 2026-05-26 - CVE-2026-44903 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-44903
Vulnerability Analysis
The vulnerability is a stored cross-site scripting flaw classified under [CWE-79]. Prometheus stores histogram bucket boundaries in the le (less-than-or-equal) label of histogram metric series. The legacy web UI heatmap chart renders these le values as axis tick labels by concatenating them into HTML markup. Because no output encoding is applied, an attacker who controls a metric label value can break out of the expected text context and inject script tags or event handlers.
Exploitation requires the operator to run Prometheus with the --enable-feature=old-ui flag. Modern Prometheus deployments using the default UI are not exposed through this code path. The persistent nature of metric storage means a single injection can repeatedly fire each time an authorized user opens the heatmap visualization.
Root Cause
The defect lies in web/ui/react-app/src/pages/graph/Graph.tsx, where le label strings were inserted into chart tick configuration without HTML escaping. The fix imports an escapeHTML helper from the project utilities and applies it to label values before they reach the rendering layer.
Attack Vector
An attacker first needs the ability to inject metrics into a target Prometheus instance. This is commonly achieved through compromised or misconfigured scrape targets, exposed push gateways, or remote write endpoints. The attacker crafts a histogram metric whose le label contains an HTML payload such as a <script> tag or onerror handler. When a Prometheus user navigates to the heatmap chart for that metric in the legacy UI, the payload executes in the browser session with the user's privileges in the Prometheus origin.
import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
import { faTimes } from '@fortawesome/free-solid-svg-icons';
import { GraphDisplayMode } from './Panel';
+import { escapeHTML } from '../../utils';
require('../../vendor/flot/jquery.flot');
require('../../vendor/flot/jquery.flot.stack');
Source: Prometheus security commit 38f23b9. The patch introduces the escapeHTML utility into Graph.tsx and routes tick label values through it before HTML insertion.
Detection Methods for CVE-2026-44903
Indicators of Compromise
- Histogram metrics whose le label values contain HTML control characters such as <, >, or ", or substrings like <script, onerror=, or javascript:.
- Unexpected scrape targets or remote-write sources publishing histogram series with non-numeric le values.
- Outbound browser requests from Prometheus operator workstations to unknown domains immediately after viewing a heatmap chart.
Detection Strategies
- Query Prometheus for any series where le is not parseable as a number, for example using PromQL label introspection over histogram series.
- Inspect process command lines on Prometheus hosts for the --enable-feature=old-ui flag, which indicates exposure to the vulnerable code path.
- Review web server access logs for requests to the legacy UI heatmap routes correlated with subsequent anomalous JavaScript-driven activity.
Monitoring Recommendations
- Audit and restrict who can write metrics to Prometheus, including scrape target ownership and remote-write authentication.
- Alert on configuration changes that re-enable the legacy UI feature flag in production deployments.
- Track Prometheus server version drift to confirm fleet-wide remediation against 3.5.3 or 3.11.3.
How to Mitigate CVE-2026-44903
Immediate Actions Required
- Upgrade Prometheus to version 3.5.3 or 3.11.3, which contain the HTML escaping fix.
- Remove the --enable-feature=old-ui flag from server start parameters unless explicitly required.
- Validate the integrity of metric sources and rotate any operator browser sessions that may have viewed crafted heatmaps.
Patch Information
The upstream fix is committed in Prometheus commit 38f23b9 and documented in GitHub Security Advisory GHSA-fw8g-cg8f-9j28. The patch applies escapeHTML to le label values inside web/ui/react-app/src/pages/graph/Graph.tsx before they are written into chart tick labels.
Workarounds
- Disable the legacy web UI by removing --enable-feature=old-ui from the Prometheus command line and restarting the service.
- Restrict network access to the Prometheus UI to trusted administrative networks using a reverse proxy or firewall ACLs.
- Enforce strict label validation on ingestion paths to reject histogram metrics whose le value is not numeric.
# Remove the legacy UI feature flag and restart Prometheus
# Before: prometheus --config.file=/etc/prometheus/prometheus.yml --enable-feature=old-ui
# After:
prometheus --config.file=/etc/prometheus/prometheus.yml
# Verify the running version is patched
prometheus --version | grep -E '3\.5\.3|3\.11\.3'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
