CVE-2026-11769

Source
https://cve.org/CVERecord?id=CVE-2026-11769
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11769.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-11769
Aliases
Downstream
Published
2026-06-13T04:17:41.099Z
Modified
2026-07-12T03:54:48.268998117Z
Severity
  • 6.4 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
Operator - Namespaced User Path Traversal
Details

We have released version 5.24.0 of the Grafana Operator. This patch includes a MEDIUM severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator.

Summary

The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod.

Impact

It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager.

Affected versions

All Grafana Operator versions <= 5.23

Solutions and mitigations

All installations should be upgraded as soon as possible.

As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources:

apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "prevent-jsonnet-dashboards" spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: ["grafana.integreatly.org"] apiVersions: ["v1beta1"] operations: ["CREATE", "UPDATE"] resources: ["grafanadashboards", "grafanalibrarypanels"] validations:

- expression: "!has(object.spec.jsonnetLib)"

apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "prevent-jsonnet-dashboards-clusterwide" spec: policyName: "prevent-jsonnet-dashboards" validationActions: [Deny]

Acknowledgement

We would like to thank Artem Cherezov for responsibly disclosing the vulnerability.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": "5.23.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11769.json",
    "cna_assigner": "GRAFANA"
}
References

Affected packages

Git / github.com/grafana/grafana-operator

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana-operator
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:grafana:grafana_operator:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.24.0"
        }
    ]
}

Affected versions

0.*
0.0.1
0.0.2
4.*
4.7.0
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.3.1
v1.4.0
v2.*
v2.0.0
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.1.0
v3.10.0
v3.2.0
v3.3.0
v3.4.0
v3.5.0
v3.6.0
v3.7.0
v3.8.0
v3.8.1
v3.9.0
v4.*
v4.0.1
v4.0.2
v4.1.0
v4.1.1
v4.10.0
v4.2.0
v4.3.0
v4.4.0
v4.4.1
v4.5.0
v4.5.1
v4.6.0
v4.7.0
v4.7.1
v4.8.0
v4.9.0
v5.*
v5.0.0
v5.0.0-rc0
v5.0.0-rc1
v5.0.0-rc2
v5.0.0-rc3
v5.0.1
v5.0.2
v5.1.0
v5.10.0
v5.11.0
v5.12.0
v5.13.0
v5.14.0
v5.15.0
v5.15.1
v5.16.0
v5.17.0
v5.17.1
v5.18.0
v5.19.0
v5.19.1
v5.19.2
v5.19.3
v5.19.4
v5.2.0
v5.20.0
v5.21.0
v5.21.1
v5.21.2
v5.21.3
v5.21.4
v5.22.0
v5.22.1
v5.22.2
v5.23.0
v5.3.0
v5.4.0
v5.4.1
v5.4.2
v5.5.0
v5.5.1
v5.5.2
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.7.0
v5.8.0
v5.8.1
v5.9.0
v5.9.1
v5.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11769.json"