CVE-2026-11769: CVE-2026-11769: Local File Read and Privilege Escalation in Grafana Operator via Jsonnet Evaluation

CVE-2026-11769: Local File Read and Privilege Escalation in Grafana Operator via Jsonnet Evaluation

Vulnerability ID: CVE-2026-11769
CVSS Score: 6.4
Published: 2026-06-19

CVE-2026-11769 is a directory traversal vulnerability affecting the Grafana Operator before version 5.24.0. An authenticated attacker with basic namespace privileges can deploy a crafted GrafanaDashboard or GrafanaLibraryPanel custom resource to read sensitive local files. This enables the extraction of the service account token of the operator manager, resulting in cluster-wide privilege escalation.

TL;DR

A directory traversal flaw in the Jsonnet templating engine of Grafana Operator allows namespace-level users to read arbitrary files from the manager pod and escalate privileges to cluster-wide administrator.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-22 (Path Traversal), CWE-269 (Improper Privilege Management)
• Attack Vector: Network (AV:N)
• CVSS: 6.4 (CVSS v4.0)
• EPSS: 0.0032 (Percentile: 23.55%)
• Impact: Privilege Escalation to Cluster Administrator
• Exploit Status: PoC (In-repository tests)
• KEV Status: Not Listed

Affected Systems

• Grafana Operator
• Grafana Operator: <= 5.23 (Fixed in: 5.24.0)

Code Analysis

Commit: 5bb71ae

fix: use os.Root for jsonnet imports

Exploit Details

• Grafana Operator GitHub Repository: Integration test files demonstrate path traversal verification using a crafted gzip-compressed Jsonnet project archive.

Mitigation Strategies

• Upgrade to Grafana Operator version 5.24.0 or higher.
• Deploy a Kubernetes ValidatingAdmissionPolicy to block Jsonnet build parameters in custom resources.
• Enforce least-privilege RBAC roles for the operator manager service account.

Remediation Steps:

1. Execute 'helm upgrade -i grafana-operator oci://ghcr.io/grafana/helm-charts/grafana-operator --version 5.24.0' to update the operator deployment.
2. Apply the CRD updates using the manifests supplied in the release assets of version 5.24.0.
3. Audit all namespaces for existing GrafanaDashboard resources that utilize the jsonnetProjectBuild configuration.

References

• Official Grafana Security Advisory
• Authoritative CVE.org Record

---

Read the full report for CVE-2026-11769 on our website for more details including interactive diagrams and full exploit analysis.