Detections
Analytics

openSUSE 16 Security Update : grafana (openSUSE-SU-2026:20940-1)

medium Nessus Plugin ID 321072

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20940-1 advisory.

 Changes in grafana:

 - CVE-2026-39821: Fix validation bypass and privilege escalation by updating golang.org/x/net to version 0.55.0 (bsc#1266600)

 - Update to version 11.6.14+security-04:
 Security:
 * CVE-2026-28374: Fix insecure direct object reference in Annotations API (bsc#1265290)
 * CVE-2026-28376: Fix unbounded memory allocation in Grafana Live push endpoint (bsc#1265289)
 * CVE-2026-28383: Fix unbounded memory allocation in Grafana plugin resources (bsc#1265286)
 * CVE-2026-28380: Fix broken access control in Snapshot API (bsc#1265287)
 * CVE-2026-33376: Fix Auth Proxy IPv6 whitelist bypass (bsc#1265285)
 * CVE-2026-28379: Fix viewer-triggered race condition in Grafana Live (bsc#1265288)
 * CVE-2026-33377: Fix dashboard Editor Privilege Escalation (bsc#1265284)
 * CVE-2026-33378: Fix OOM exception in Grafana Data Source Plugin (bsc#1265283)
 * CVE-2026-33381: Prevent users from generating Service Account tokens after permissions removal (bsc#1265281)
 * CVE-2026-33380: Fix vulnerability in SQL Expressions allowing an authenticated attacker to read arbitrary files from the Grafana servers filesystem (bsc#1265282)

 - CVE-2026-34986: Fix panic in JWE decryption (bsc#1262950)
 - CVE-2026-41602: Fix Integer Overflow or Wraparound vulnerability in Apache Thrift (bsc#1263501)

 - CVE-2026-26958: Bump filippo.io/edwards25519 to version 1.1.1 (bsc#1258595)
 - CVE-2026-21725: Fix missing UID when deleting datasource by name (bsc#1258873)

 - Update to version 11.6.14+security-01:
 Security:
 * CVE-2026-33375: Fix denial of Service via out-of-memory exhaustion in MSSQL data source plugin (bsc#1260881)

 - Update to version 11.6.14:
 Security:
 * CVE-2026-27876: Fix remote arbitrary code execution via chained SQL Expressions (bsc#1261025)
 * CVE-2026-27877: Fix information disclosure of data-source passwords via public dashboards (bsc#1261026)
 * CVE-2026-28375: Fix denial of service via testdata data-source (bsc#1261029)
 * CVE-2026-27879: Fix denial of service via resample query (bsc#1261027)
 * CVE-2026-33186: Fix authorization bypass due to improper validation of the HTTP/2 :path pseudo-header (bsc#1260263)
 * CVE-2026-21724: Fix authorization bypass allows modification of protected webhook URLs (bsc#1260878)

 - Update to version 11.6.13:
 Enhancement:
 * Wire the public dashboard service to the HTTP server

 - Update to version 11.6.12:
 Enhancement:
 * Update authentication redirect logic Bug fix:
 * Fix single panel render with variable references

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected grafana package.

See Also

https://bugzilla.suse.com/1258595

https://bugzilla.suse.com/1258873

https://bugzilla.suse.com/1259999

https://bugzilla.suse.com/1260263

https://bugzilla.suse.com/1260878

https://bugzilla.suse.com/1260881

https://bugzilla.suse.com/1261025

https://bugzilla.suse.com/1261026

https://bugzilla.suse.com/1261027

https://bugzilla.suse.com/1261029

https://bugzilla.suse.com/1262950

https://bugzilla.suse.com/1263501

https://bugzilla.suse.com/1264764

https://bugzilla.suse.com/1265281

https://bugzilla.suse.com/1265282

https://bugzilla.suse.com/1265283

https://bugzilla.suse.com/1265284

https://bugzilla.suse.com/1265285

https://bugzilla.suse.com/1265286

https://bugzilla.suse.com/1265287

https://bugzilla.suse.com/1265288

https://bugzilla.suse.com/1265289

https://bugzilla.suse.com/1265290

https://bugzilla.suse.com/1266600

https://www.suse.com/security/cve/CVE-2025-29923

https://www.suse.com/security/cve/CVE-2025-30153

https://www.suse.com/security/cve/CVE-2026-21724

https://www.suse.com/security/cve/CVE-2026-27876

https://www.suse.com/security/cve/CVE-2026-27877

https://www.suse.com/security/cve/CVE-2026-27879

https://www.suse.com/security/cve/CVE-2026-28374

https://www.suse.com/security/cve/CVE-2026-28375

https://www.suse.com/security/cve/CVE-2026-28376

https://www.suse.com/security/cve/CVE-2026-28379

https://www.suse.com/security/cve/CVE-2026-28380

https://www.suse.com/security/cve/CVE-2026-28383

https://www.suse.com/security/cve/CVE-2026-33186

https://www.suse.com/security/cve/CVE-2026-33375

https://www.suse.com/security/cve/CVE-2026-33376

https://www.suse.com/security/cve/CVE-2026-33377

https://www.suse.com/security/cve/CVE-2026-33378

https://www.suse.com/security/cve/CVE-2026-33380

https://www.suse.com/security/cve/CVE-2026-33381

https://www.suse.com/security/cve/CVE-2026-34986

https://www.suse.com/security/cve/CVE-2026-39821

https://www.suse.com/security/cve/CVE-2026-41602

https://www.suse.com/security/cve/CVE-2026-21725

https://www.suse.com/security/cve/CVE-2026-26958

Plugin Details

Severity: Medium

ID: 321072

File Name: openSUSE-2026-20940-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/14/2026

Updated: 6/14/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-27877

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 2.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-26958

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:grafana

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/10/2026

Vulnerability Publication Date: 3/19/2025

Reference Information

CVE: CVE-2025-29923, CVE-2025-30153, CVE-2026-21724, CVE-2026-21725, CVE-2026-26958, CVE-2026-27876, CVE-2026-27877, CVE-2026-27879, CVE-2026-28374, CVE-2026-28375, CVE-2026-28376, CVE-2026-28379, CVE-2026-28380, CVE-2026-28383, CVE-2026-33186, CVE-2026-33375, CVE-2026-33376, CVE-2026-33377, CVE-2026-33378, CVE-2026-33380, CVE-2026-33381, CVE-2026-34986, CVE-2026-39821, CVE-2026-41602

IAVB: 2026-B-0079-S, 2026-B-0128