Description
We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator.



### Summary



The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod.



### Impact



It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager.



### Affected versions



All Grafana Operator versions <= 5.23



### Solutions and mitigations



All installations should be upgraded as soon as possible.



As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources:



apiVersion: admissionregistration.k8s.io/v1



kind: ValidatingAdmissionPolicy



metadata:

name: "prevent-jsonnet-dashboards"


spec:

failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["grafana.integreatly.org"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE"]
resources: ["grafanadashboards", "grafanalibrarypanels"]
validations:
- expression: "!has(object.spec.jsonnetLib)"


---



apiVersion: admissionregistration.k8s.io/v1



kind: ValidatingAdmissionPolicyBinding



metadata:

name: "prevent-jsonnet-dashboards-clusterwide"


spec:

policyName: "prevent-jsonnet-dashboards"
validationActions: [Deny]


### Acknowledgement



We would like to thank Artem Cherezov for responsibly disclosing the vulnerability.
Published: 2026-06-13
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Grafana Operator allows a path traversal flaw within the jsonnet evaluation context used for dashboard and library panel resources. An attacker who can create or update GrafanaDashboards or GrafanaLibraryPanels can manipulate the jsonnet expression to read arbitrary files from the operator manager pod. This results in exposure of the Kubernetes service account token that the operator runs under, enabling unauthorized privileged access to the cluster.

Affected Systems

Vendor Grafana, product Grafana Operator, versions 5.23 and earlier are impacted. The issue was addressed in version 5.24.0.

Risk and Exploitability

The CVSS score is 6.4, indicating a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires the ability to create or modify dashboard or library panel resources, which implies at least cluster‑level or namespace‑level permissions. Successful exploitation grants the attacker a token with operator privileges, providing broad access to cluster resources.

Generated by OpenCVE AI on June 13, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grafana Operator to version 5.24.0 or later, which contains the definitive fix.
  • Deploy the provided ValidatingAdmissionPolicy to deny creation or modification of jsonnet‑based dashboards and library panels.
  • Limit RBAC permissions so that only trusted users or service accounts can create or update GrafanaDashboards and GrafanaLibraryPanels, reducing the opportunity for exploitation.
  • Continuously monitor the cluster for suspicious jsonnet resources and review audit logs for unauthorized changes.

Generated by OpenCVE AI on June 13, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22

Sat, 13 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Description We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. ### Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod. ### Impact It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager. ### Affected versions All Grafana Operator versions <= 5.23 ### Solutions and mitigations All installations should be upgraded as soon as possible. As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "prevent-jsonnet-dashboards" spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: ["grafana.integreatly.org"] apiVersions: ["v1beta1"] operations: ["CREATE", "UPDATE"] resources: ["grafanadashboards", "grafanalibrarypanels"] validations: - expression: "!has(object.spec.jsonnetLib)" --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "prevent-jsonnet-dashboards-clusterwide" spec: policyName: "prevent-jsonnet-dashboards" validationActions: [Deny] ### Acknowledgement We would like to thank Artem Cherezov for responsibly disclosing the vulnerability.
Title Operator - Namespaced User Path Traversal
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-06-13T04:17:41.099Z

Reserved: 2026-06-09T10:52:06.229Z

Link: CVE-2026-11769

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-13T06:16:14.380

Modified: 2026-06-13T06:16:14.380

Link: CVE-2026-11769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T06:30:07Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')