CVE-2026-11769: Operator - Namespaced User Path Traversal
We have released version 5.24.0 of the Grafana Operator. This patch includes a MEDIUM severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator.
### Summary
The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod.
### Impact
It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager.
### Affected versions
All Grafana Operator versions <= 5.23
### Solutions and mitigations
All installations should be upgraded as soon as possible.
As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "prevent-jsonnet-dashboards"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["grafana.integreatly.org"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE"]
resources: ["grafanadashboards", "grafanalibrarypanels"]
validations:
- expression: "!has(object.spec.jsonnetLib)"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "prevent-jsonnet-dashboards-clusterwide"
spec:
policyName: "prevent-jsonnet-dashboards"
validationActions: [Deny]
### Acknowledgement
We would like to thank Artem Cherezov for responsibly disclosing the vulnerability.
Security readout for executives and security teams
Plain-English summary
CVE-2026-11769 affects Grafana Operator versions 5.23 and earlier. A Kubernetes user who can create Grafana Dashboard or LibraryPanel resources could use jsonnet handling to obtain the Operator manager pod’s service account token. That may allow privilege escalation inside the cluster, depending on that service account’s permissions.
Executive priority
Prioritize remediation for clusters where Grafana Operator has broad service account permissions or where many users can manage Grafana dashboard resources. The issue is medium severity but can expose an operator token, creating cluster-specific escalation risk.
Technical view
The Grafana Operator evaluates jsonnet expressions for dashboard and library panel resources in the operator manager pod context. The vendor describes this as a path traversal/privilege escalation issue, mapped to CWE-22, with CVSS 4.0 score 6.4. Fixed version is Grafana Operator 5.24.0.
Likely exposure
Exposure is likely limited to Kubernetes clusters running Grafana Operator 5.23 or earlier where users or automation can create or update grafanadashboards or grafanalibrarypanels using jsonnet.
Exploitation context
The source bundle does not indicate active exploitation, and KEV is false. Exploitation requires low privileges: the attacker must be able to create Dashboard or LibraryPanel resources for a Grafana instance.
Researcher notes
The key trust boundary is jsonnet evaluation inside the operator manager pod. Assess the operator service account permissions to understand blast radius. The public advisory names the impact and workaround but does not provide exploit details or evidence of exploitation.
Mitigation direction
Upgrade Grafana Operator to version 5.24.0 as soon as practical.
If immediate upgrade is not possible, apply the vendor’s ValidatingAdmissionPolicy workaround blocking jsonnet-based resources.
Review who can create or update GrafanaDashboard and GrafanaLibraryPanel resources.
Check vendor guidance for any updated recommendations before production changes.
Validation and detection
Inventory Grafana Operator versions across Kubernetes clusters.
Confirm no Grafana Operator version is 5.23 or earlier.
Review RBAC granting create or update on grafanadashboards and grafanalibrarypanels.
Check for jsonnetLib use in GrafanaDashboard and GrafanaLibraryPanel resources.
Verify the admission policy workaround is enforced if upgrade is delayed.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-22: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-22 · source CWE mapping
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.