openSUSE-SU-2026:20654-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2026:20654-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2026:20654-1
Upstream
  • CVE-2024-11741
  • CVE-2024-9476
  • CVE-2025-2703
  • CVE-2025-3415
  • CVE-2025-3454
  • CVE-2025-3580
  • CVE-2025-6023
  • CVE-2025-6197
  • CVE-2026-21721
  • CVE-2026-21722
Related
Published
2026-04-29T16:12:10Z
Modified
2026-05-12T18:24:46.991191810Z
Summary
Security update for grafana
Details

This update for grafana fixes the following issues:

Changes in grafana:

  • Update to version 11.6.11: Features and enhancements:

    • Alerting: Add limits for the size of expanded notification templates
    • Correlations: Remove support for org_id=0 Security:
    • CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136)

  • Update to version 11.6.10: Features and enhancements:

    • API: Add missing scope check on dashboards
    • Avatar: Require sign-in, remove queue, respect timeout Bug fixes:
    • Alerting: Fix a race condition panic in ResetStateByRuleUID

  • Update to version 11.6.9: Features and enhancements:

    • Plugins: Add PluginContext to plugins when scenes is disabled Bug fixes:
    • Alerting: Fix contacts point issues

  • Update to version 11.6.8: Bug fixes:

    • Alerting: Fix unmarshalling of GettableStatus to include time intervals

  • Update to version 11.6.7: Bug fixes:

    • Auth: Fix render user OAuth passthrough
    • LDAP Authentication: Fix URL to propagate username context as parameter
    • Plugins: Dependencies do not inherit parent URL for preinstall
    • URLParams: Stringify true values as key=true always (fixes issues with variables with true value)

  • Update to version 11.6.6: Bug fixes:

    • Alerting: Fix copying of recording rule fields
    • Fix redirection after login when Grafana is served from subpath

  • Update to version 11.6.5: Features and enhancements:

    • Alerting: Bump alerting package to include change to NewTLSClient

  • Update to version 11.6.4: Features and enhancements:

    • StateTimeline: Add endTime to tooltip
    • Unified storage: Respect GFDATABASEURL override Bug fixes:
    • Alerting: Fix group interval override when adding new rules
    • Azure: Fix legend formatting
    • Azure: Fix resource name determination in template variable queries
    • Graphite: Fix annotation queries
    • Graphite: Fix date mutation
    • Graphite: Fix nested variable interpolation for repeated rows

  • Update to version 11.6.3: Security:

    • Fixes CVE-2025-3415

  • Update to version 11.6.2: Bug fixes:

    • Dashboard: Fixes issue with row repeats and first row
    • Graphite: Ensure template variables are interpolated correctly
    • Graphite: Fix Graphite series interpolation
    • Prometheus: Fix semver import path

  • Update to version 11.6.1: Features and enhancements:

    • DashboardScenePage: Correct slug in self referencing data links
    • GrafanaUI: Use safePolygon close handler for interactive tooltips instead of a delay
    • Prometheus: Add support for cloud partners Prometheus data sources Bug fixes:
    • Alertmanager: Add Role-Based Access Control via reqAction Field
    • GrafanaUI: Remove blurred background from overlay backdrops to improve performance
    • InfluxDB: Fix nested variable interpolation
    • LDAP test: Fix page crash
    • Org redirection: Fix linking between orgs

  • Upgrade to version 11.6.0: Features and enhancements:

    • Visualisations: One click links and actions
    • Annotations: Add cron syntax support
    • WebGL-powered geomaps for better performance
    • Alerting: Add alert rule version history Security:
    • API keys: Migrate API keys to service accounts at startup

  • CVE-2026-21721: Fix access control by the dashboard permissions API (bsc#1257337)

  • CVE-2026-21720: Fix unauthenticated DoS (bsc#1257349)
  • CVE-2025-68156: Fix potential DoS via unbounded recursion in builtin functions (bsc#1255340)

  • CVE-2025-64751: Drop experimental implementation of authorization Zanzana server/client (bsc#1254113)

  • Use forked wire from Grafana repository instead of external package (jsc#PED-14178).

  • Update to version 11.5.10: Security:

    • CVE-2025-47911: Fix parsing HTML documents (bsc#1251454)
    • CVE-2025-58190: Fix excessive memory consumption (bsc#1251657) Features and enhancements:
    • Update to Go 1.25
    • Update to golang.org/x/net v0.45.0 Bug fixes:
    • Auth: Fix render user OAuth passthrough.
    • LDAP Authentication: Fix URL to propagate username context as parameter.
    • Plugins: Dependencies do not inherit parent URL for preinstall.

  • Update to version 11.5.9:

    • Security: CVE-2025-11065: Fix sensitive information leak in logs (bsc#1250616)
    • Features and enhancements: Auditing: Document new options for recording datasource query request/response body.
    • Bug fixes: Login: Fix redirection after login when Grafana is served from subpath.

  • Update to version 11.5.8:

    • No relevant changes

  • Update to version 11.5.7:

    • Security: CVE-2025-6023: Fix cross-site-scripting via scripted dashboards (bsc#1246735) CVE-2025-6197: Fix open redirect in organization switching (bsc#1246736)
    • Bug fixes: Azure: Fix legend formatting. Azure: Fix resource name determination in template variable queries.

  • Update to version 11.5.6:

    • Security: CVE-2025-3415: Fix exposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)

  • Update to version 11.5.5 (jsc#PED-12918):

    • Security: CVE-2025-4123: Fix cross-site scripting vulnerability (bsc#1243714). CVE-2025-22872: Bump golang.org/x/net/html (bsc#1241809) CVE-2025-3580: Prevent unauthorized server admin deletion (bsc#1243672).

  • Update to version 11.5.4:

    • Security: CVE-2025-29923: Bump github.com/redis/go-redis/v9 to 9.6.3. CVE-2025-3454: Sanitize paths before evaluating access to route (bsc#1241683). CVE-2025-2703: Fix built-in XY Chart plugin (bsc#1241687).
    • Features and enhancements: Azure Monitor: Filter namespaces by resource group. Azure: Add support for custom namespace and custom metrics variable queries. Azure: Resource picker improvements. Azure: Support more complex variable interpolation. Azure: Variable editor and resource picker improvements. DashboardScenePage: Correct slug in self referencing data links. Prometheus: Add support for cloud partners Prometheus data sources.
    • Bug fixes: InfluxDB: Fix nested variable interpolation. LDAP test: Fix page crash.

  • Update to version 11.5.3:

    • Security: CVE-2025-22870: Bump golang.org/x/net (bsc#1238703).
    • Bug fixes: Alerting: Fix token-based Slack image upload to work with channel names. Auth: Fix AzureAD config UI's ClientAuthentication dropdown. Dashboard: Fix the unintentional time range and variables updates on saving. Dashboards: Fix missing v/e/i keybindings to return back to dashboard. InfluxDB: Improve handling of template variables contained in regular expressions (InfluxQL). Org redirection: Fix linking between orgs.

  • Update to version 11.5.2:

    • Bug fixes: Alerting: Allow specifying uid for new rules added to groups. Alerting: Call RLock() before reading sendAlertsTo map. Auth: Fix redirect with JWT auth URL login. AuthN: Refetch user on "ErrUserAlreadyExists". Azure: Correctly set application insights resource values. DashboardList: Throttle the re-renders. Dashboards: Bring back scripted dashboards. Plugin Metrics: Eliminate data race in plugin metrics middleware. RBAC: Don't check folder access if annotationPermissionUpdate FT is enabled.

  • Update to version 11.5.1:

    • Bug fixes: CodeEditor: Fix cursor alignment. TransformationFilter: Include transformation outputs in transformation filtering options.

  • Upgrade to version 11.5.0:

    • Breaking changes: Loki: Default to /labels API with query param instead of /series API.
    • Features and enhancements: Extended Cloud Migration Assistent support for plugins and alerts. Redesigned filters for dashboards. New regular expression option for Extract fields transformation. Redesigned sharing experience in Dashboards. Customizable shareable dashboard panel images. RBAC for alerting notifications and notification policies. Add support for Elasticsearch cross-cluster search. Time series macro support in visual query builder for SQL data sources. OAuth and SAML session handling improvements. Plugin Frontend Sandbox for additiona security. Renamed Public dashboards to Shared dashboards.

  • Update to version 11.4.1:

    • Bug fixes: Alerting: AlertingQueryRunner should skip descendant nodes of invalid queries. Alerting: Fix alert rules unpausing after moving rule to different folder. Alerting: Fix label escaping in rule export. Alerting: Fix slack image uploading to use new api. Azure/GCM: Improve error display. Dashboards: Fix issue where filtered panels would not react to variable changes. Dashboards: Fixes issue with panel header showing even when hide time override was enabled. Dashboards: Fixes week relative time ranges when weekStart was changed. Dashboards: Panel react for timeFrom and timeShift changes using variables. DateTimePicker: Fixes issue with date picker showing invalid date. Fix: Add support for datasource variable queries. InfluxDB: Adhoc filters can use template vars as values. LibraryPanel: Fallback to panel title if library panel title is not set.

  • Upgrade to version 11.4.0:

    • Features and enhancements: Cloudwatch: OpenSearch PPL and SQL support in Logs Insights.

  • Update to version 11.3.1:

    • Features and enhancements: Alerting: Make context deadline on AlertNG service startup configurable. MigrationAssistant: Restrict dashboards, folders and datasources by the org id of the signed in user. User: Check SignedInUser OrgID in RevokeInvite.
    • Bug fixes: Alerting: Fix escaping of silence matchers in utf8 mode. Alerting: Fix overflow for long receiver names. Alerting: Fix saving advanced mode toggle state in the alert rule editor. Alerting: Fix setting datasource uid, when datasource is string in old version. Alerting: Force refetch prom rules when refreshing panel. Anonymous User: Adds validator service for anonymous users. Azure Monitor: Support metric namespaces fallback. Azure: Fix duplicated traces in multi-resource trace query. Azure: Handle namespace request rejection. CloudWatch: Interpolate region in log context query. Dashboard datasource: Return annotations as series when query topic is "annotations". Dashboard: Append orgId to URL. Dashboards: Fixes performance issue expanding a row. Flame Graph: Fix crash when it receives empty data. Folders: Add admin permissions upon creation of a folder w. SA. Folders: Don't show error pop-up if the user can't fetch the root folder. Migration: Remove table aliasing in delete statement to make it work for mariadb. ServerLock: Fix pg concurrency/locking issue. Service Accounts: Run service account creation in transaction. Table: Fix text wrapping applying to wrong field. Unified Storage: Use ssl_mode instead of sslmode.

  • Update to version 11.3.0+security-01:

    • Security: CVE-2024-9476: Fix Migration Assistant issue (bsc#1233343)

  • Upgrade to version 11.3.0:

    • Features and enhancements: View mode and Edit mode are generally available. Template variables and the time range picker remain visible when scrolling. Added timezone parameter in Grafana URL. Kiosk mode displays dashboard controls. Auto-formatted table cell values in Cell Inspect. Allow adding actions to canvas elements. Legend support in bar gauge visualizations. Apply the same binary transformation to all the number fields in a given table at once. Add support for data links and actions in several visualizations. The Explore Logs plugin is installed by default. Added correlations to external URLs in Explore. Simplified query section for alert rule creation. Introduced recording rules for Grafana-managed alerts. GitHub App authentication for the GitHub data source. Improved subfolder creation flow. Redesigned plugin details page. Added UI for LDAP configuration. Added RBAC support in Plugins.

  • Update to version 11.2.2+security-01:

    • Bug fix: SQL Expressions: Fixes CVE-2024-9264 (bsc#1231844)

  • Update to version 11.2.2:

    • Features and enhancements: Data sources: Hide the datasource redirection banner for users who can't interact with data sources.
    • Bug fixes: Alerting: Fix preview of silences when label name contains spaces. Alerting: Make query wrapper match up datasource UIDs if necessary. AzureMonitor: Improve resource picker efficiency. AzureMonitor: Remove Basic Logs retention warning. CloudWatch: Fix segfault when migrating legacy queries. DashboardScene: Fix broken error handling and error rendering. Plugins: Avoid returning 404 for AutoEnabled apps.

  • Update to version 11.2.1:

    • Features and enhancements: Alerting: Support for optimistic concurrency in priovisioning Tempate API. Logs panel: Enable displayedFields in dashboards and apps. State timeline: Add pagination support.
    • Bug fixes: Authn: No longer hash service account token twice during authentication. CloudMigrations: Fix snapshot creation on Windows systems. DashGPT: Fixes issue with generation on Safari. Dashboard: Fix Annotation runtime error when a data source does not support annotations. Grafana SQL: Fix broken import in NumberInput component. Logs: Show older logs button when infinite scroll is enabled and sort order is descending. RBAC: Fix an issue with server admins not being able to manage users in orgs that they don't belong to. Templating: Fix searching non-latin template variables.

  • Upgrade to version 11.2.0:

    • Features and enhancements: Grafana Cloud Migration Assistant is in public preview. Added navigation bookmarks. Added template variables support in some transformations. Introduced Transpose transformation. Group to nested tables is now generally available. Format string transformation is now generally available. New cumulative and window calculations available in Add field from calculation. Canvas: Standardized tooltips. Canvas: Allow adding data links without using an override. Canvas: Allow opening data links with a single click. Canvas: Add the ability to control the order in which data links are displayed. Added pagination support for state timeline. Centralized alert history page. Grafana Explore now allows for logs filtering and pinning in content outline. Added forward direction search for Loki. Added Cloudwatch Metric Insights cross account observability support. Added Yugabyte data source. Map org-specific user roles from your OAuth provider. Better SAML integration for Azure AD. API support for LDAP configuration (experimental). OpenID Connect Discovery URL for Generic OAuth.

  • Update to version 11.1.5:

    • Bug fixes: Alerting: Fix permissions for prometheus rule endpoints. Alerting: Fix persisting result fingerprint that is used by recovery threshold. RBAC: Fix an issue with server admins not being able to manage users in orgs that they don't belong to. Snapshots: Fix panic when snapshotremoveexpired is true. VizTooltip: Fix positioning at bottom and right edges on mobile. Plugins: Fix QueryField typeahead missing background color.

  • Update to version 11.1.3:

    • Bug fix: RBAC: Allow plugins to use scoped actions.

  • Update to version 11.1.1:

    • Bug fixes: Alerting: Skip fetching alerts for unsaved dashboards. Alerting: Support utf8strictmode: false in Mimir. Scenes: Fixes issue with panel repeat height calculation. Table Panel: Fix Image hover without datalinks. Tempo: Fix grpc streaming support over pdc-agent. RBAC: Allow plugins to use scoped actions.

  • Upgrade to version 11.1.0:

    • Security: CVE-2023-45288: Bump golang.org/x/net (bsc#1236510)
    • Features and improvements: Allow table cell text wrapping. Added stat visualization percent change color mode options. XA chart is generally available. Redesigned settings page for Alerting. Added alerting template selector. Added OAuth2 to HTTP settings for vanilla Alertmanager / Mimir. Improved paused alert visibility. Rule-specific silences with permissions. Support for AWS SNS integration in Grafana-managed alerts. Added GeoMap and panel shortcut keyboard support. Accessability headings improvements. Added reduced motion support.

  • Update to version 11.0.1:

    • Breaking changes: If you had selected your language as "Portugu�s Brasileiro" previously, this will be reset. You have to select it again in your Preferences for the fix to be applied and the translations will then be shown.
    • Bug fixes: Echo: Suppress errors from frontend-metrics API call failing. Analytics: Fix ApplicationInsights integration. DashboardScene: Fixes issue removing override rule. BrowseDashboards: Prepend subpath to New Browse Dashboard actions. Alerting: Fix rule storage to filter by group names using case-sensitive comparison. RBAC: List only the folders that the user has access to. DashboardScene: Fixes lack of re-render when updating field override properties. DashboardScene: Fixes inspect with transforms issue. AzureMonitor: Fix bug detecting app insights queries. Access Control: Clean up permissions for deprovisioned data sources. Loki: Fix editor history in wrong order. SSE: Fix threshold unmarshal to avoid panic. LibraryPanels/RBAC: Ignore old folder permission check when deleting/patching lib panel. Dashboards: Correctly display Admin access to dashboards in the UI. LogsTable: Fix default sort by time. Alerting: Fix rules deleting when reordering whilst filtered. Alerting: Fix typo in JSON response for rule export. CloudMonitoring: Fix query type selection issue. Alerting: Fix scheduler to sort rules before evaluation. DashboardScene: Skip panel repeats when values are the same. Alerting: Do not store series values from past evaluations in state manager for no reason. DashboardScene: Fixing major row repeat issues. DashboardScene: Fixes checkbox orienation in save forms.

  • Upgrade to version 11.0.0:

    • Breaking changes: AngularJS support is turned off by default. Legacy alerting is entirely removed. Subfolders cause very rare issues with folders which have slashes in their names. The input data source is removed. Data sources: Responses which are associated with hidden queries will be removed (filtered) by Grafana. The URL which is generated when viewing an individual repeated panel has changed. React Router is deprecated. The grafana/e2e testing tool is deprecated.
    • Features and enhancements: Introduced Explore Metrics (public preview) and Explore Logs (experimental). Introduced edit mode to provide an easier way to discover and interact with the dashboard edit exprerience. Fixed positioning of template variables and time picker. Introduced dashboard subfolders. Use AI to generate titles and descriptions for panels and dashboards. Canvas: Enhanced flowcharting functionality. Canvas: Universal data link support. Canvas: Added infinite panning editor option. Added colored table rows with conditional formatting. Set threshold colors in the Config from query transformation. Substring matcher added to the Filter by value transformation. Keep Last State for Grafana Managed Alerting. Redesigned alert detail view. The Alerting Provisioning HTTP API has been updated to enforce RBAC. Removed old Tempo Search and Loki Search. MSSQL: Windows Active Directory (Kerberos) authentication. New strong password policy.

  • CVE-2025-27144: Fix Go JOSE's Parsing Vulnerability (bsc#1237671)

  • CVE-2024-51744: Fix bad documentation of error handling in ParseWithClaims (bsc#1232975)

  • CVE-2024-45339: Fix vulnerability when creating log files (bsc#1236559)

  • Update to version 10.4.15:

    • Bugfixes CVE-2024-11741: Fix the Grafana Alerting VictorOps integration (bsc#1236734) Chore: Bump dependency golang.org/x/crypto to v0.31.0

  • Update to version 10.4.14:

    • Bugfixes Alerting: Do not fetch Orgs if the user is authenticated by apikey/sa or render key
References

Affected packages