Skip to content
PERCONA MONITORING AND MANAGEMENT DOCUMENTATION

Rate this page
Thanks for your feedback
Thank you! The feedback has been submitted.

Get free database assistance or contact our experts for personalized support.

Get help from Percona

Percona Monitoring and Management 3.8.1

Release date: June 16th, 2026

Percona Monitoring and Management (PMM) is an open source database monitoring, management, and observability solution for MySQL, PostgreSQL, MongoDB, Valkey and Redis. PMM empowers you to:

  • monitor the health and performance of your database systems
  • identify patterns and trends in database behavior
  • diagnose and resolve issues faster with actionable insights
  • manage databases across on-premises, cloud, and hybrid environments

📋 Release summary

PMM 3.8.1 is a security-focused release that patches critical and high-severity vulnerabilities in gRPC, Grafana, and nginx, and fixes several ClickHouse and dashboard stability issues.

🔒 Security updates

Grafana upgraded to 12.4.3+security-02

PMM 3.8.1 upgrades Grafana to 12.4.3+security-02 to address 10 security vulnerabilities. We recommend upgrading to PMM 3.8.1 as soon as possible. For the full list of CVEs addressed through this upgrade, see the Grafana 12.4.3+security-02 release notes.

Zero vulnerabilities in PMM’s own components

PMM’s own components have zero known vulnerabilities in this release. Any remaining risks are in third-party dependencies where upstream fixes are not yet available, and none are exploitable in a typical PMM deployment.

Fixed third-party vulnerabilities

pgx memory-safety vulnerability (CVE-2026-33816)

CRITICAL severity. Fixed by bumping pgx from v5.8.0 to v5.9.2 in the Percona Grafana fork.

gRPC authorization bypass (CVE-2026-33186)

HIGH severity. Fixed through upstream dependency updates across all PMM components.

Go stdlib MIME header decoding DoS (CVE-2026-42504)

HIGH severity. Fixed across pmm-dump, VictoriaMetrics, and vmalert by rebuilding on Go 1.26.4.

Docker engine vulnerabilities in Nomad

HIGH severity (CVE-2026-41567, CVE-2026-42306). Fixed through upstream Nomad dependency update.

nginx TLS backend injection (CVE-2026-1642)

HIGH severity. Fixed by upgrading the bundled nginx.

Assessed and accepted: vulnerabilities not exploitable in PMM

The following vulnerabilities were assessed and are not exploitable in a typical PMM deployment. Residual risk is accepted for PMM 3.8.1 and will be resolved through future upstream updates.

Go JOSE denial of service (CVE-2026-34986)

Affects the go-jose library used by Grafana for JWT/JWE processing. PMM authentication is required to reach the affected endpoints, and the impact is limited to denial of service. Will be resolved through a future Grafana upstream update.

Docker engine vulnerabilities in Grafana transitive dependencies (CVE-2026-34040, CVE-2026-41567, CVE-2026-42306)

Affects moby/moby, an unused transitive build dependency in the Grafana binary. PMM does not run or expose a Docker daemon, so the vulnerable code paths are never executed.

Grafana Tempo denial of service and information disclosure (CVE-2026-21728, CVE-2026-28377)

Affects the Tempo tracing datasource compiled into Grafana. PMM does not configure or use Tempo, so the vulnerable endpoints are not reachable.

Apache Thrift integer overflow (CVE-2026-41602)

Affects the Thrift library, an unused transitive dependency in the Grafana binary. PMM uses gRPC and HTTP/JSON for inter-component communication, not Thrift, so the vulnerable code path is unreachable.

Prometheus library vulnerabilities (CVE-2026-42151, CVE-2026-42154)

Affects the Prometheus library embedded in Grafana for PromQL evaluation. PMM does not use Azure OAuth or Prometheus remote read, and Grafana access requires PMM authentication.

OpenTelemetry vulnerabilities (CVE-2026-29181, CVE-2026-24051, CVE-2026-39883)

Affects the OpenTelemetry SDK in the Grafana binary. The PATH hijacking CVEs require pre-existing container compromise, and PMM does not accept inbound OpenTelemetry traffic, so none are exploitable in a standard deployment.

Go standard library vulnerabilities in ClickHouse datasource

Affects the third-party Grafana ClickHouse Datasource plugin, built on an older Go toolchain. The plugin connects only to PMM’s internal ClickHouse instance over localhost and does not process untrusted URLs, external TLS, email, or MIME content, so the vulnerable code paths are unreachable. Requires an upstream plugin update to a newer Go toolchain. Tracked as CVE-2026-25679, CVE-2026-27137, CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39836, CVE-2026-42499, and CVE-2026-42504.

How to reduce risk

To lower risk further, Percona recommends that you:

  • restrict network access to PMM Server to trusted networks and users.
  • minimize the number of PMM administrators and enforce strong authentication.
  • apply resource limits to PMM Server containers where supported.
  • keep Nomad disabled unless it is explicitly required for your deployment.

✅ Fixed issues

  • PMM-15054: Fixed an issue where ClickHouse system log tables grew out of control, consuming all available memory and causing PMM Server to fail with MEMORY_LIMIT_EXCEEDED errors. PMM now disables the log tables it no longer uses and cleans up leftover tables from previous upgrades.

  • PMM-14858: Fixed an issue where PMM logged repeated connection errors when configured to use an external ClickHouse instance instead of the built-in one.

  • PMM-14763: Fixed an issue where OS metrics for AWS RDS instances continued to show data from the old primary after a blue-green switchover, instead of switching to the new primary.

  • PMM-15075: Fixed an issue where the ClickHouse Read Backoff panel on the PMM Health dashboard displayed an error instead of the graph. Also standardized font sizes across all dashboard panels.

  • PMM-15051: Fixed an issue where updating the public address in Settings > Advanced Settings returned a server error.

  • PMM-14894: Fixed the Cluster Messages graph in the Valkey/Redis Cluster Details dashboard to show the number of cluster messages per second instead of a cumulative total. The graph legend is also restored.

  • PMM-15112: Fixed an issue where a leftover live reload script in Grafana caused an unexpected browser prompt for some users.

  • PMM-14901: Fixed an issue in Real-Time Analytics (RTA) where the arrow navigation in the query details pane ignored active filters, moving through all queries instead of only the filtered ones.

🚀 Ready to upgrade to PMM 3.8.1?