Bug 2488673 (CVE-2026-11769) - CVE-2026-11769 grafana-operator: Grafana Operator: Privilege escalation and information disclosure via path traversal in jsonnet templating.
Summary: CVE-2026-11769 grafana-operator: Grafana Operator: Privilege escalation and i...
Keywords:
Status: NEW
Alias: CVE-2026-11769
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-13 06:01 UTC by OSIDB Bzimport
Modified: 2026-07-02 17:14 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-13 06:01:10 UTC
We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator.



### Summary



The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod.



### Impact



It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager.



### Affected versions



All Grafana Operator versions <= 5.23



### Solutions and mitigations



All installations should be upgraded as soon as possible.



As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources:



apiVersion: admissionregistration.k8s.io/v1



kind: ValidatingAdmissionPolicy



metadata:

  name: "prevent-jsonnet-dashboards"


spec:

  failurePolicy: Fail
  matchConstraints:
    resourceRules:
      - apiGroups: ["grafana.integreatly.org"]
        apiVersions: ["v1beta1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["grafanadashboards", "grafanalibrarypanels"]
  validations:
    - expression: "!has(object.spec.jsonnetLib)"


---



apiVersion: admissionregistration.k8s.io/v1



kind: ValidatingAdmissionPolicyBinding



metadata:

  name: "prevent-jsonnet-dashboards-clusterwide"


spec:

  policyName: "prevent-jsonnet-dashboards"
  validationActions: [Deny]


### Acknowledgement



We would like to thank Artem Cherezov for responsibly disclosing the vulnerability.


Note You need to log in before you can comment on or make changes to this bug.