Bug 2488673 (CVE-2026-11769)

Summary: CVE-2026-11769 grafana-operator: Grafana Operator: Privilege escalation and information disclosure via path traversal in jsonnet templating.
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akostadi, amasferr, clusk, dmayorov, jlledo, mwringe, pantinor, tsedmik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Grafana Operator. This vulnerability allows a malicious user, who can create Dashboard or LibraryPanel resources for a Grafana instance, to exploit a path traversal issue within the jsonnet data templating language. This exploitation can lead to privilege escalation and information disclosure, specifically enabling the attacker to obtain the Kubernetes service account token of the Grafana Operator manager.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-13 06:01:10 UTC
We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator.



### Summary



The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod.



### Impact



It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager.



### Affected versions



All Grafana Operator versions <= 5.23



### Solutions and mitigations



All installations should be upgraded as soon as possible.



As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources:



apiVersion: admissionregistration.k8s.io/v1



kind: ValidatingAdmissionPolicy



metadata:

  name: "prevent-jsonnet-dashboards"


spec:

  failurePolicy: Fail
  matchConstraints:
    resourceRules:
      - apiGroups: ["grafana.integreatly.org"]
        apiVersions: ["v1beta1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["grafanadashboards", "grafanalibrarypanels"]
  validations:
    - expression: "!has(object.spec.jsonnetLib)"


---



apiVersion: admissionregistration.k8s.io/v1



kind: ValidatingAdmissionPolicyBinding



metadata:

  name: "prevent-jsonnet-dashboards-clusterwide"


spec:

  policyName: "prevent-jsonnet-dashboards"
  validationActions: [Deny]


### Acknowledgement



We would like to thank Artem Cherezov for responsibly disclosing the vulnerability.