All errata/c10f2/ALT-PU-2026-6579-4
ALT-PU-2026-6579-4

Package update grafana in branch c10f2

Version12.3.6-alt1
Task#415862
Published2026-04-25
Max severityCRITICAL
Severity:

Closed issues (16)

BDU:2026-02010
MEDIUM6.8

Уязвимость компонента Explore Traces платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю выполнить произвольный JavaScript-код

Published: 2026-02-20Modified: 2026-03-19
CVSS 3.xMEDIUM 6.8
CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS 2.0HIGH 7.1
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:N
References
BDU:2026-02011
MEDIUM5.3

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с раскрытием информации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2026-02-20
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2026-02013
LOW3.3

Уязвимость функции корреляции платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2026-02-20
CVSS 3.xLOW 3.3
CVSS:3.x/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0LOW 3.6
CVSS:2.0/AV:N/AC:H/Au:S/C:P/I:P/A:N
References
BDU:2026-04159
CRITICAL9.1

Уязвимость функции SQL Expressions платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю выполнить произвольный код и получить несанкционированный доступ к платформе

Published: 2026-03-30Modified: 2026-04-01
CVSS 3.xCRITICAL 9.1
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
References
CVE-2025-41117
MEDIUM6.1

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.

Published: 2026-02-12Modified: 2026-02-26
CVSS 3.xMEDIUM 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
CVE-2026-21722
MEDIUM5.3

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.

Published: 2026-02-12Modified: 2026-02-27
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2026-21724
MEDIUM4.3

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Published: 2026-03-26Modified: 2026-04-14
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
References
CVE-2026-21727
LOW3.3

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.

Published: 2026-04-15Modified: 2026-04-20
CVSS 3.xLOW 3.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
References
CVE-2026-27876
CRITICAL9.1

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

Published: 2026-03-27Modified: 2026-04-02
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References
CVE-2026-27877
HIGH7.5

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

Published: 2026-03-27Modified: 2026-03-31
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References
CVE-2026-33375
MEDIUM6.5

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

Published: 2026-03-26Modified: 2026-03-31
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
GHSA-7g92-g4vh-hp84
MEDIUM5.4

Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions

Published: 2026-03-27Modified: 2026-04-24
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References