Percona Monitoring and Management 3.8.1¶
Release date: June 16th, 2026
Percona Monitoring and Management (PMM) is an open source database monitoring, management, and observability solution for MySQL, PostgreSQL, MongoDB, Valkey and Redis. PMM empowers you to:
- monitor the health and performance of your database systems
- identify patterns and trends in database behavior
- diagnose and resolve issues faster with actionable insights
- manage databases across on-premises, cloud, and hybrid environments
📋 Release summary¶
PMM 3.8.1 is a security-focused release that patches critical and high-severity vulnerabilities in gRPC, Grafana, and nginx, and fixes several ClickHouse and dashboard stability issues.
🔒 Security updates¶
Grafana upgraded to 12.4.3+security-02¶
PMM 3.8.1 upgrades Grafana to 12.4.3+security-02 to address 10 security vulnerabilities. We recommend upgrading to PMM 3.8.1 as soon as possible. For the full list of CVEs addressed through this upgrade, see the Grafana 12.4.3+security-02 release notes.
Zero vulnerabilities in PMM’s own components¶
All PMM-owned binaries (exporters, VictoriaMetrics, Nomad, pmm-managed, pmm-agent, pmm-admin, vmalert, vmproxy, qan-api2, pmm-dump) report zero known vulnerabilities in this release. Any remaining risks are in third-party dependencies where upstream fixes are not yet available, and none are exploitable in a typical PMM deployment.
Fixed third-party vulnerabilities¶
pgx memory-safety vulnerability (CVE-2026-33816)¶
CRITICAL severity. Fixed by bumping pgx from v5.8.0 to v5.9.2 in the Percona Grafana fork.
gRPC authorization bypass (CVE-2026-33186)¶
HIGH severity. Fixed through upstream dependency updates across all PMM components.
Go stdlib MIME header decoding DoS (CVE-2026-42504)¶
HIGH severity. Fixed across pmm-dump, VictoriaMetrics, and vmalert by rebuilding on Go 1.26.4.
Docker engine vulnerabilities in Nomad (CVE-2026-41567 and CVE-2026-42306)¶
HIGH severity. Fixed through upstream Nomad dependency update.
nginx TLS backend injection (CVE-2026-1642)¶
HIGH severity. Fixed by upgrading the bundled nginx.
Remaining third-party security risks¶
PMM, like all complex software, includes third-party components. Some vulnerabilities in those components couldn’t be fixed in this release because upstream fixes weren’t yet available. Percona assessed each one and considers the risk low for typical PMM deployments. Affected dependencies will be updated as fixes become available.
Go JOSE denial of service (CVE-2026-34986)¶
Affected component¶
Grafana (third-party dependency, go-jose v4.1.3, fixed in v4.1.4).
Why this is hard to exploit in PMM¶
This affects JWT/JWE processing in Grafana’s authentication workflows. To exploit it, an attacker would need to send crafted JWE tokens to Grafana’s authentication endpoints. PMM authentication is required to reach those endpoints, and the impact is limited to denial of service so no data access or code execution is possible.
Mitigating factors¶
- PMM authentication is required to access Grafana.
- The impact is limited to denial of service, not data access or code execution.
Risk decision¶
We’re accepting this risk for PMM 3.8.1 and will fix it in a future Grafana upstream update.
Docker engine vulnerabilities in Grafana transitive dependencies (CVE-2026-34040, CVE-2026-41567 & CVE-2026-42306)¶
Affected component¶
Grafana binary (third-party dependency, moby/moby as a transitive build dependency).
Why this is hard to exploit in PMM¶
These are Docker engine vulnerabilities covering authorization bypass, container archive execution on host, and a docker cp race condition. PMM does not run or expose a Docker daemon. The moby/moby library is compiled into Grafana as a build dependency only so the vulnerable code paths are never executed in a PMM deployment.
Mitigating factors¶
- PMM Server does not run a Docker daemon or expose Docker API endpoints.
- These code paths exist only as unused transitive dependencies in the Grafana binary.
- No PMM operation invokes Docker container management functions.
Risk decision¶
We’re accepting this risk for PMM 3.8.1 and will fix it in a future dependency update.
Grafana Tempo denial of service and information disclosure (CVE-2026-21728 & CVE-2026-28377)¶
Affected component¶
Grafana binary (Tempo is compiled into Grafana as an optional datasource plugin).
Why this is hard to exploit in PMM¶
Tempo is a distributed tracing backend. PMM does not use Tempo, does not configure a Tempo datasource, and does not accept tracing data. The denial of service via large queries and S3 encryption key disclosure via status endpoint cannot be triggered in a PMM deployment.
Mitigating factors¶
- PMM does not configure or enable the Tempo datasource.
- No PMM component sends or receives tracing data through Tempo.
- The vulnerable endpoints are not exposed in PMM’s Grafana configuration.
Risk decision¶
We’re accepting this risk for PMM 3.8.1 and will fix it in a future dependency update.
Apache Thrift integer overflow (CVE-2026-41602)¶
Affected component¶
Grafana binary (Thrift is a transitive dependency).
Why this is hard to exploit in PMM¶
This is an integer overflow in TFramedTransport. PMM does not use Thrift-based protocols for any inter-component communication. The vulnerable code path is not reachable through any PMM operation.
Mitigating factors¶
- PMM uses gRPC and HTTP/JSON for all inter-component communication, not Thrift.
- The Thrift library is an unused transitive dependency in the Grafana binary.
Risk decision¶
We’re accepting this risk for PMM 3.8.1 and will fix it in a future dependency update.
Prometheus library vulnerabilities (CVE-2026-42151 & CVE-2026-42154)¶
Affected component¶
Affects the Prometheus library embedded in Grafana for PromQL evaluation.
Why this is hard to exploit in PMM¶
PMM uses VictoriaMetrics as its metrics backend, not Prometheus, so the affected code paths are rarely reached. CVE-2026-42151 discloses Azure OAuth client secrets via the config API. PMM does not use Azure OAuth for Prometheus. CVE-2026-42154 allows denial of service via uncontrolled memory allocation in remote read, but exploiting it requires an authenticated PMM user to craft specific queries through the Grafana interface.
Mitigating factors¶
- PMM authentication is required to access Grafana and execute queries.
- PMM does not use Azure OAuth or Prometheus remote read.
Risk decision¶
We’re accepting this risk for PMM 3.8.1 and will fix it in a future dependency update.
OpenTelemetry vulnerabilities (CVE-2026-29181, CVE-2026-24051, CVE-2026-39883)¶
Affected component¶
Grafana binary (third-party dependency, OpenTelemetry SDK v1.39.0).
Why this is hard to exploit in PMM¶
The PATH hijacking CVEs require local shell access to the PMM Server container and the ability to modify $PATH, which means the container is already compromised. PMM does not accept inbound OpenTelemetry traffic, so the denial of service via crafted OpenTelemetry baggage headers cannot be triggered either. None are exploitable in a standard deployment.
Mitigating factors¶
- PMM Server containers run as non-root with restricted filesystem access.
- PMM does not accept inbound OpenTelemetry traffic.
- PATH hijacking requires pre-existing container compromise, which exceeds the PMM threat model.
Risk decision¶
We’re accepting this risk for PMM 3.8.1 and will fix it in a future dependency update.
Go standard library vulnerabilities in ClickHouse datasource¶
Tracked as CVE-2026-25679, CVE-2026-27137, CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39836, CVE-2026-42499 & CVE-2026-42504.
Affected component¶
Grafana ClickHouse Datasource plugin (third-party, not Percona-maintained). Built on Go 1.26.0; fixes require Go 1.26.4 or later.
Why this is hard to exploit in PMM¶
These are Go standard library issues affecting crypto/x509, crypto/tls, net/url, net/http, net/mail, and MIME header processing. The plugin only connects to PMM’s internal ClickHouse instance over localhost, so no external or user-controlled URLs, certificates, or TLS connections go through this code. CVE-2026-39836 (net.Dial NUL byte panic) affects Windows only and does not apply to PMM Server.
Mitigating factors¶
- The plugin only connects to ClickHouse within the PMM Server container.
- PMM Server runs on Linux and the Windows-specific CVE does not apply.
- No untrusted external input reaches the ClickHouse datasource query path without prior PMM authentication.
- The plugin does not use TLS, reverse proxying, email parsing, or MIME processing in PMM’s deployment.
Risk decision¶
We’re accepting this risk for PMM 3.8.1. The fix requires an upstream rebuild of the plugin with Go 1.26.4 or later, which isn’t available yet. We’ll address it once it is.
How to reduce risk¶
To lower your exposure in the meantime:
- restrict network access to PMM Server to trusted networks and users.
- keep the number of PMM admins small and enforce strong authentication.
- apply resource limits to PMM Server containers where possible.
✅ Fixed issues¶
-
PMM-15054: Fixed an issue where ClickHouse system log tables grew out of control, consuming all available memory and causing PMM Server to fail with
memory limit exceedederrors. PMM now disables the log tables it no longer uses and cleans up leftover tables from previous upgrades. -
PMM-14858: Fixed an issue where PMM logged repeated connection errors when configured to use an external ClickHouse instance instead of the built-in one.
-
PMM-14763: Fixed an issue where OS metrics for AWS RDS instances continued to show data from the old primary after a blue-green switchover, instead of switching to the new primary.
-
PMM-15075: Fixed an issue where the ClickHouse Read Backoff panel on the PMM Health dashboard displayed an error instead of the graph. Also standardized font sizes across all dashboard panels.
-
PMM-15051: Fixed an issue where updating the public address in Settings > Advanced Settings returned a server error.
-
PMM-14894: Fixed the Cluster Messages graph in the Valkey/Redis Cluster Details dashboard to show the number of cluster messages per second instead of a cumulative total. The graph legend is also restored.
-
PMM-15112: Fixed an issue where a leftover live reload script in Grafana caused an unexpected browser prompt for some users.
-
PMM-14901: Fixed an issue in Real-Time Analytics (RTA) where the arrow navigation in the query details pane ignored active filters, moving through all queries instead of only the filtered ones.