23 matches found
CVE-2026-11769
A flaw was found in the Grafana Operator. This vulnerability allows a malicious user, who can create Dashboard or LibraryPanel resources for a Grafana instance, to exploit a path traversal issue within the jsonnet data templating language. This exploitation can lead to privilege escalation and...
GO-2026-5355 Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName in github.com/grafana/grafana-operator
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName in github.com/grafana/grafana-operator...
GHSA-FCW4-WWQM-M8CF Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName
We have released version 5.24.0 of the Grafana Operator. This patch includes a MODERATE severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templatin...
EUVD-2026-36641
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName...
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName
We have released version 5.24.0 of the Grafana Operator. This patch includes a MODERATE severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templatin...
Duplicate Advisory: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fcw4-wwqm-m8cf. This link is maintained to preserve external references. Original Description We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a...
CVE-2026-11769
We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templatin...
Credential Exposure
Overview Affected versions of this package are vulnerable to Credential Exposure in jsonnetfetcher.go that may expose the Kubernetes service account token of the Grafana Operator manager to users with sufficient privileges to create Dashboard or LibraryPanel resources. This token can be used to...
Credential Exposure
Overview Affected versions of this package are vulnerable to Credential Exposure in jsonnetfetcher.go that may expose the Kubernetes service account token of the Grafana Operator manager to users with sufficient privileges to create Dashboard or LibraryPanel resources. This token can be used to...
CVE-2026-11769
Grafana Operator
CVE-2026-11769 Operator - Namespaced User Path Traversal
We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templatin...
CVE-2026-11769 Operator - Namespaced User Path Traversal
We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templatin...
PT-2026-49078
Name of the Vulnerable Software and Affected Versions Grafana Operator versions prior to 5.24.0 Description A path traversal and privilege escalation issue exists when loading dashboards and library panels using the jsonnet data templating language. Because the jsonnet expression is evaluated...
CVE-2026-33810 vulnerabilities
Vulnerabilities for packages: actions-runner-controller-fips, ingress-nginx-controller, listmonk, dataplaneapi-fips, rabbitmq-messaging-topology-operator-fips, karpenter, nodetaint-fips, osv-scanner, nodetaint, spire-server, flux-image-reflector-controller-fips, flux-source-watcher-fips,...
GHSA-FV83-X2XW-2J55 vulnerabilities
Vulnerabilities for packages: actions-runner-controller-fips, ingress-nginx-controller, listmonk, dataplaneapi-fips, rabbitmq-messaging-topology-operator-fips, karpenter, nodetaint-fips, osv-scanner, nodetaint, spire-server, flux-image-reflector-controller-fips, flux-source-watcher-fips,...
GHSA-X4JJ-H2V8-HQQV vulnerabilities
Vulnerabilities for packages: ingress-nginx-controller, helm-exporter-fips, docker-cli, rke2-runtime-fips, crane, cloudbeat, crossplane, gosu, atlantis, flux-source-watcher, xeol, cerbos, image-factory, rclone, oras-fips, tekton-pipelines, flux-source-controller, docker-compose-fips, harbor,...
CVE-2026-32288 vulnerabilities
Vulnerabilities for packages: ingress-nginx-controller, helm-exporter-fips, docker-cli, rke2-runtime-fips, crane, cloudbeat, crossplane, gosu, atlantis, flux-source-watcher, xeol, cerbos, image-factory, rclone, oras-fips, tekton-pipelines, flux-source-controller, docker-compose-fips, harbor,...
CVE-2026-32280 vulnerabilities
Vulnerabilities for packages: kcp-fips, kafka-proxy, mockery, prometheus-adapter, crossplane-provider-aws-eks-fips, ingress-nginx-controller, yunikorn-web-fips, vexctl, knative-kafka-broker, helm-exporter-fips, cert-manager-csi-driver-fips, aws-node-termination-handler, dataplaneapi-fips,...
GHSA-5W89-2C2X-6X66 vulnerabilities
Vulnerabilities for packages: kafka-proxy, prometheus-adapter, ingress-nginx-controller, vexctl, aws-node-termination-handler, cert-manager-fips, velero-plugin-for-csi-fips, terraform-provider-kubernetes-fips, kratos, wazero, azure-container-networking, nri-redis-fips, verticadb-operator,...
CVE-2026-32283 vulnerabilities
Vulnerabilities for packages: kcp-fips, kafka-proxy, mockery, prometheus-adapter, crossplane-provider-aws-eks-fips, ingress-nginx-controller, yunikorn-web-fips, vexctl, knative-kafka-broker, helm-exporter-fips, cert-manager-csi-driver-fips, aws-node-termination-handler, dataplaneapi-fips,...