CVE-2026-11769
Analyzed Analyzed - Analysis Complete

Path Traversal in Grafana Operator

Vulnerability report for CVE-2026-11769, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-13

Last updated on: 2026-06-30

Assigner: Grafana Labs

Description

We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. ### Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod. ### Impact It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager. ### Affected versions All Grafana Operator versions <= 5.23 ### Solutions and mitigations All installations should be upgraded as soon as possible. As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "prevent-jsonnet-dashboards" spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: ["grafana.integreatly.org"] apiVersions: ["v1beta1"] operations: ["CREATE", "UPDATE"] resources: ["grafanadashboards", "grafanalibrarypanels"] validations: - expression: "!has(object.spec.jsonnetLib)" --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "prevent-jsonnet-dashboards-clusterwide" spec: policyName: "prevent-jsonnet-dashboards" validationActions: [Deny] ### Acknowledgement We would like to thank Artem Cherezov for responsibly disclosing the vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-13
Last Modified
2026-06-30
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-02
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
grafana grafana_operator to 5.24.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a critical security flaw in the Grafana Operator versions up to 5.23. It involves a path traversal and privilege escalation issue related to the use of the jsonnet data templating language for loading dashboards and library panels.

The jsonnet expressions are evaluated within the context of the operator manager pod, which means a malicious user who can create Dashboard or LibraryPanel resources can exploit this to obtain the Kubernetes service account token of the Grafana Operator manager.

Impact Analysis

If exploited, this vulnerability allows a malicious user to escalate privileges by obtaining the Kubernetes service account token of the Grafana Operator manager.

This token could potentially be used to perform unauthorized actions within the Kubernetes cluster, leading to further compromise of the system.

Mitigation Strategies

To mitigate this vulnerability immediately, all installations should be upgraded to Grafana Operator version 5.24.0 or later.

As a workaround, you can deploy a ValidatingAdmissionPolicy that prevents the creation or modification of jsonnet based Dashboard or LibraryPanel resources.

  • Create a ValidatingAdmissionPolicy named "prevent-jsonnet-dashboards" that denies creation or update operations on grafanadashboards and grafanalibrarypanels resources if they contain jsonnetLib.
  • Bind this policy cluster-wide using a ValidatingAdmissionPolicyBinding named "prevent-jsonnet-dashboards-clusterwide" with validationActions set to Deny.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11769. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart