What is the CVSS score of CVE-2026-42154?

CVE-2026-42154 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Prometheus are affected by CVE-2026-42154?

Prometheus versions before 3.5.3 and 3.11.3 are vulnerable to unauthenticated denial-of-service attacks through the remote read endpoint, where attackers can crash the monitoring server by sending…. A patch is available.

Is there a public PoC exploit available for CVE-2026-42154?

Yes, a public proof-of-concept exploit is available for CVE-2026-42154. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-42154?

Within 24 hours: Identify all Prometheus instances and their versions using inventory/CMDB queries. Within 7 days: Upgrade all Prometheus deployments to version 3.5.3 (if on 3.5.x branch) or 3.11.3 (if on 3.11.x branch) or later. Within 30 days: Verify upgrades in staging and production, validate remote read endpoint functionality post-patch, and document completion in change management system.

Prometheus CVE-2026-42154

EUVD-2026-27091 HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-05-04 GitHub_M

GHSA-8rm2-7qqf-34qm

Denial Of Service Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch available

May 04, 2026 - 20:01 EUVD

Source Code Evidence Fetched

May 04, 2026 - 19:30 vuln.today

Analysis Generated

May 04, 2026 - 19:30 vuln.today

DescriptionNVD

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

AnalysisAI

Memory exhaustion in Prometheus remote read endpoint allows unauthenticated attackers to crash the monitoring server via maliciously crafted snappy-compressed payloads. The /api/v1/read endpoint in versions prior to 3.5.3 and 3.11.3 accepts compressed request bodies without validating the declared decoded length, enabling a 5-byte payload claiming 256 MiB decoded size to trigger massive heap allocations. …

RemediationAI

Within 24 hours: Identify all Prometheus instances and their versions using inventory/CMDB queries. Within 7 days: Upgrade all Prometheus deployments to version 3.5.3 (if on 3.5.x branch) or 3.11.3 (if on 3.11.x branch) or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-42154 vulnerability details – vuln.today

Back

Prometheus CVE-2026-42154

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code