Skip to main content

Grafana Operator CVE-2026-11769

| EUVD-2026-36641 MEDIUM
Path Traversal (CWE-22)
2026-06-13 GRAFANA GHSA-v82c-5c2q-hx9g
Grafana Path Traversal Kubernetes Privilege Escalation Grafana Operator
6.4
CVSS 4.0 · Vendor: GRAFANA
Share

Severity by source

Vendor (GRAFANA) PRIMARY
6.4 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.6 CRITICAL

Network vector via Kubernetes API; PR:L for required CRD write RBAC; scope change because operator pod token theft affects the broader cluster.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GRAFANA).

CVSS VectorVendor: GRAFANA

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 13, 2026 - 05:43 vuln.today

DescriptionCVE.org

We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator.

Summary

The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod.

Impact

It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager.

Affected versions

All Grafana Operator versions <= 5.23

Solutions and mitigations

All installations should be upgraded as soon as possible.

As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources:

apiVersion: admissionregistration.k8s.io/v1

kind: ValidatingAdmissionPolicy

metadata:

name: "prevent-jsonnet-dashboards"

spec:

failurePolicy: Fail matchConstraints: resourceRules:

  • apiGroups: ["grafana.integreatly.org"]

apiVersions: ["v1beta1"] operations: ["CREATE", "UPDATE"] resources: ["grafanadashboards", "grafanalibrarypanels"] validations:

  • expression: "!has(object.spec.jsonnetLib)"

---

apiVersion: admissionregistration.k8s.io/v1

kind: ValidatingAdmissionPolicyBinding

metadata:

name: "prevent-jsonnet-dashboards-clusterwide"

spec:

policyName: "prevent-jsonnet-dashboards" validationActions: [Deny]

Acknowledgement

We would like to thank Artem Cherezov for responsibly disclosing the vulnerability.

AnalysisAI

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to create GrafanaDashboard or GrafanaLibraryPanel resources to steal the Kubernetes service account token of the operator manager pod. The jsonnet templating language, supported via spec.jsonnetLib, is evaluated unsandboxed inside the operator manager pod, enabling a path traversal payload to read sensitive files - including the mounted service account token - and exfiltrate it through the resulting dashboard output. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain RBAC write access to GrafanaDashboard or LibraryPanel CRDs
Delivery
Craft jsonnet expression with path traversal to service account token
Exploit
Submit malicious resource via Kubernetes API
Install
Operator manager evaluates jsonnet in pod context
C2
Path traversal reads /var/run/secrets/kubernetes.io/serviceaccount/token
Execute
Exfiltrate token from dashboard output
Impact
Authenticate to Kubernetes API with elevated operator privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold Kubernetes RBAC permissions to create or update either GrafanaDashboard (grafanadashboards) or GrafanaLibraryPanel (grafanalibrarypanels) resources in the grafana.integreatly.org API group, version v1beta1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-provided CVSS 4.0 score of 6.4 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N accurately captures the attack architecture: the vulnerable system (the CRD object itself) sustains no direct impact, but the subsequent system - the operator manager pod and the Kubernetes cluster it controls - suffers high confidentiality and integrity compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds Kubernetes RBAC permissions to create GrafanaDashboard resources submits a manifest with a crafted spec.jsonnetLib expression that uses jsonnet's native file import or string manipulation to read /var/run/secrets/kubernetes.io/serviceaccount/token from the operator manager pod's filesystem and embed its contents in the resulting dashboard JSON. The Grafana Operator manager evaluates the jsonnet and stores or surfaces the output, allowing the attacker to retrieve the service account token - then use it to authenticate directly to the Kubernetes API server and perform actions with the operator's elevated cluster-scoped privileges. …
Remediation The primary fix is to upgrade the Grafana Operator to version 5.24.0, which contains the security patch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11769 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy