CVE-2026-11769
Received Received - Intake
Path Traversal in Grafana Operator

Publication date: 2026-06-13

Last updated on: 2026-06-13

Assigner: Grafana Labs

Description
We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. ### Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod. ### Impact It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager. ### Affected versions All Grafana Operator versions <= 5.23 ### Solutions and mitigations All installations should be upgraded as soon as possible. As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "prevent-jsonnet-dashboards" spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: ["grafana.integreatly.org"] apiVersions: ["v1beta1"] operations: ["CREATE", "UPDATE"] resources: ["grafanadashboards", "grafanalibrarypanels"] validations: - expression: "!has(object.spec.jsonnetLib)" --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "prevent-jsonnet-dashboards-clusterwide" spec: policyName: "prevent-jsonnet-dashboards" validationActions: [Deny] ### Acknowledgement We would like to thank Artem Cherezov for responsibly disclosing the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-13
Last Modified
2026-06-13
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-11769
EUVD
EUVD-2026-36641
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
grafana grafana_operator to 5.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a critical security flaw in the Grafana Operator versions up to 5.23. It involves a path traversal and privilege escalation issue related to the use of the jsonnet data templating language for loading dashboards and library panels.

The jsonnet expressions are evaluated within the context of the operator manager pod, which means a malicious user who can create Dashboard or LibraryPanel resources can exploit this to obtain the Kubernetes service account token of the Grafana Operator manager.

Impact Analysis

If exploited, this vulnerability allows a malicious user to escalate privileges by obtaining the Kubernetes service account token of the Grafana Operator manager.

This token could potentially be used to perform unauthorized actions within the Kubernetes cluster, leading to further compromise of the system.

Mitigation Strategies

To mitigate this vulnerability immediately, all installations should be upgraded to Grafana Operator version 5.24.0 or later.

As a workaround, you can deploy a ValidatingAdmissionPolicy that prevents the creation or modification of jsonnet based Dashboard or LibraryPanel resources.

  • Create a ValidatingAdmissionPolicy named "prevent-jsonnet-dashboards" that denies creation or update operations on grafanadashboards and grafanalibrarypanels resources if they contain jsonnetLib.
  • Bind this policy cluster-wide using a ValidatingAdmissionPolicyBinding named "prevent-jsonnet-dashboards-clusterwide" with validationActions set to Deny.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11769. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart