CVE-2026-11769: Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName

June 19, 2026

The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod.

References

github.com/advisories/GHSA-fcw4-wwqm-m8cf
github.com/grafana/grafana-operator/security/advisories/GHSA-fcw4-wwqm-m8cf
grafana.com/security/security-advisories/cve-2026-11769
nvd.nist.gov/vuln/detail/CVE-2026-11769

Code Behaviors & Features

Detect and mitigate CVE-2026-11769 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →