SCA: security update for github.com/grafana/grafana-operator/v5 (GHSA-fcw4-wwqm-m8cf)

medium Tenable Cloud Security Plugin ID 443684

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security
fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. ### Summary The
Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language.
The jsonnet expression is evaluated in the context of the operator manager pod. ### Impact It is possible
for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain
the Kubernetes service account token of the Grafana Operator manager. ### Affected versions All Grafana
Operator versions <= 5.23 ### Solutions and mitigations All installations should be upgraded as soon as
possible. As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of
jsonnet based resources: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy
metadata: name: "prevent-jsonnet-dashboards" spec: failurePolicy: Fail matchConstraints: resourceRules: -
apiGroups: ["grafana.integreatly.org"] apiVersions: ["v1beta1"] operations: ["CREATE", "UPDATE"]
resources: ["grafanadashboards", "grafanalibrarypanels"] validations: - expression:
"!has(object.spec.jsonnetLib)" --- apiVersion: admissionregistration.k8s.io/v1 kind:
ValidatingAdmissionPolicyBinding metadata: name: "prevent-jsonnet-dashboards-clusterwide" spec:
policyName: "prevent-jsonnet-dashboards" validationActions: [Deny] ### Acknowledgement We would like to
thank Artem Cherezov for responsibly disclosing the vulnerability. (CVE-2026-11769)

Solution

Update the github.com/grafana/grafana-operator/v5 library and its related packages to version 5.24.0 or later.

See Also

https://github.com/advisories/GHSA-fcw4-wwqm-m8cf

Plugin Details

Severity: Medium

ID: 443684

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 6/20/2026

Updated: 7/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.97

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-11769

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.4

Threat Score: 2.4

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/19/2026

Vulnerability Publication Date: 6/13/2026

Reference Information

CVE: CVE-2026-11769