fix(deps): update module github.com/grafana/grafana-operator/v5 to v5.24.0 [security] by renovate[bot] · Pull Request #614 · uhthomas/automata

renovate · 2026-06-23T18:35:24Z

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/grafana/grafana-operator/v5	`v5.22.2` → `v5.24.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName

CVE-2026-11769 / GHSA-fcw4-wwqm-m8cf

More information

Details

We have released version 5.24.0 of the Grafana Operator. This patch includes a MODERATE severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator.

Summary

The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod.

Impact

It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager.

Affected versions

All Grafana Operator versions <= 5.23

Solutions and mitigations

All installations should be upgraded as soon as possible.

As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "prevent-jsonnet-dashboards"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
      - apiGroups: ["grafana.integreatly.org"]
        apiVersions: ["v1beta1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["grafanadashboards", "grafanalibrarypanels"]
  validations:
    - expression: "!has(object.spec.jsonnetLib)"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "prevent-jsonnet-dashboards-clusterwide"
spec:
  policyName: "prevent-jsonnet-dashboards"
  validationActions: [Deny]

Acknowledgement

We would like to thank Artem Cherezov for responsibly disclosing the vulnerability.

Severity

CVSS Score: 6.4 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

grafana/grafana-operator (github.com/grafana/grafana-operator/v5)

`v5.24.0`

Compare Source

Welcome to release 5.24.0 of the Grafana Operator!

This release contains an important security fix, and we urge you to update to this version as soon as possible. We are not aware of any breaking changes all through versions >= 5 so updates should be trivial.

Regarding features, this release includes support for fetching dashboards & library panels using OCI artifacts.

Upgrade instructions

Using Helm

# Upgrade the operator image & deployment
helm upgrade -i grafana-operator oci://ghcr.io/grafana/helm-charts/grafana-operator --version 5.24.0

# Upgrading CRDs
kubectl apply --server-side --force-conflicts -f https://github.com/grafana/grafana-operator/releases/download/v5.24.0/crds.yaml

Using kubectl

# Namespace Scope
kubectl replace -f https://github.com/grafana/grafana-operator/releases/download/v5.24.0/kustomize-namespace_scoped.yaml

# Cluster Scope
kubectl replace -f https://github.com/grafana/grafana-operator/releases/download/v5.24.0/kustomize-cluster_scoped.yaml

Using kustomize

flux pull artifact oci://ghcr.io/grafana/kustomize/grafana-operator:v5.24.0 --output ./grafana-operator/

Using OLM

Releases are published to operatorhub.io as well as the OpenShift Operator Catalog. Depending on the installation, existing installations will either upgrade automatically or require approval from an administrator.

What's Changed

Features

feat: Add generic API reconciler by @theSuess in #2696
feat: add OCI artifact source for dashboard and library panel content by @bosiakov in #2677

Fixes

fix(AlertRuleGroup): normalize query model before drift compare by @immanuwell in #2716
fix: use os.Root for jsonnet imports by @theSuess in #2741

Dependencies

fix(security/unknown): update module golang.org/x/crypto to v0.52.0 [security] by @renovate-sh-app[bot] in #2717
fix(security/unknown): update module golang.org/x/net to v0.55.0 [security] by @renovate-sh-app[bot] in #2718
fix(deps): update module github.com/onsi/ginkgo/v2 to v2.29.0 by @renovate-sh-app[bot] in #2725
fix(deps): update module github.com/go-openapi/runtime to v0.31.0 by @renovate-sh-app[bot] in #2724
chore(deps): update grafana/shared-workflows/create-github-app-token action to v0.2.3 by @renovate-sh-app[bot] in #2722
fix(deps): update module github.com/go-openapi/runtime to v0.32.0 by @renovate-sh-app[bot] in #2729
fix(deps): update module github.com/go-openapi/runtime to v0.32.1 by @renovate-sh-app[bot] in #2730
fix(deps): update module github.com/go-openapi/runtime to v0.32.2 by @renovate-sh-app[bot] in #2731
chore(deps): update grafana/shared-workflows/create-github-app-token action to v0.3.0 by @renovate-sh-app[bot] in #2732
fix(deps): update module github.com/go-openapi/strfmt to v0.26.3 by @renovate-sh-app[bot] in #2735
chore(deps): update grafana/shared-workflows/create-github-app-token action to v0.3.1 by @renovate-sh-app[bot] in #2737
fix(deps): update module github.com/go-openapi/runtime to v0.32.3 by @renovate-sh-app[bot] in #2738
fix(deps): update module oras.land/oras-go/v2 to v2.6.1 by @renovate-sh-app[bot] in #2740

Other Changes

chore(workflows): update test matrix by @weisdd in #2733
chore: release 5.24.0 by @theSuess in #2742

New Contributors

@bosiakov made their first contribution in #2677

Full Changelog: grafana/grafana-operator@v5.23.0...v5.24.0

`v5.23.0`

Compare Source

We're happy to announce version 5.23.0 of the Grafana Operator!

This release contains fixes for a bunch of long standing issues as well as quality-of-live improvements. It also bumps the default Grafana version to 13.0.1. Note that existing instances will not be updated automatically. To update them, modify the value of .spec.version.

Upgrade instructions

Using Helm

# Upgrade the operator image & deployment
helm upgrade -i grafana-operator oci://ghcr.io/grafana/helm-charts/grafana-operator --version 5.23.0

# Upgrading CRDs
kubectl apply --server-side --force-conflicts -f https://github.com/grafana/grafana-operator/releases/download/v5.23.0/crds.yaml

Using kubectl

# Namespace Scope
kubectl replace -f https://github.com/grafana/grafana-operator/releases/download/v5.23.0/kustomize-namespace_scoped.yaml

# Cluster Scope
kubectl replace -f https://github.com/grafana/grafana-operator/releases/download/v5.23.0/kustomize-cluster_scoped.yaml

Using kustomize

flux pull artifact oci://ghcr.io/grafana/kustomize/grafana-operator:v5.23.0 --output ./grafana-operator/

Using OLM

Releases are published to operatorhub.io as well as the OpenShift Operator Catalog. Depending on the installation, existing installations will either upgrade automatically or require approval from an administrator.

What's Changed

Features

feat(Grafana): Update Grafana Deployment when referenced Secret or Configmap contents change by @vignesh-codes in #2525
feat(OLM): make leader election optional by @raks-tt in #2661
feat: feature flag api by @theSuess in #2695
feat(helm): allow setting ipFamilyPolicy by @sebhoss in #2697
feat: disable gzip compression in grafana >= 13 by @theSuess in #2714

Fixes

fix(helm): namespaceScope RBAC (avoid ClusterRole) by @peterbueschel in #2595
chore(deps): update dependency autoprefixer to ^10.5.0 by @renovate-sh-app[bot] in #2650
fix: make tenantNamespace optional by @theSuess in #2665
fix(grafana): do not propagate applyset labels to child resources by @weisdd in #2666
chore(ContactPoint): Remove always false check for skipping updates by @Baarsgaard in #2670
fix: only cache contents on successful apply by @theSuess in #2668
fix: limit gvr resolving to correct kind by @theSuess in #2674
fix(cache): handle corrupted cache by @weisdd in #2684
fix(controllers): incorrect matchExpressions (DoesNotExist / NotIn) handling for instances with no labels by @immanuwell in #2704

Dependencies

chore(deps): update module google.golang.org/grpc to v1.79.3 [security] by @renovate-sh-app[bot] in #2591
fix(deps): update module github.com/go-openapi/strfmt to v0.26.1 by @renovate-sh-app[bot] in #2589
fix(deps): update module k8s.io/apimachinery to v0.35.3 by @renovate-sh-app[bot] in #2592
fix(deps): update kubernetes monorepo to v0.35.3 by @renovate-sh-app[bot] in #2598
fix(deps): update module k8s.io/apiextensions-apiserver to v0.35.3 by @renovate-sh-app[bot] in #2599
chore(deps): lock file maintenance by @renovate-sh-app[bot] in #2600
fix(deps): update module github.com/google/go-jsonnet to v0.22.0 by @renovate-sh-app[bot] in #2603
fix(deps): update github.com/grafana/grafana-openapi-client-go digest to ee77c4f by @renovate-sh-app[bot] in #2615
chore(deps): update docker.io/grafana/grafana docker tag to v12.4.2 by @renovate-sh-app[bot] in #2606
fix(deps): update module github.com/itchyny/gojq to v0.12.19 by @renovate-sh-app[bot] in #2620
fix(deps): update module github.com/alecthomas/kong to v1.15.0 by @renovate-sh-app[bot] in #2621
chore(deps): update dependency postcss to ^8.5.8 by @renovate-sh-app[bot] in #2631
chore(deps): update fluxcd/flux2 action to v2.8.5 by @renovate-sh-app[bot] in #2630
fix(deps): update module github.com/testcontainers/testcontainers-go to v0.42.0 by @renovate-sh-app[bot] in #2634
chore(deps): update docker.io/grafana/grafana docker tag to v13 by @renovate-sh-app[bot] in #2649
fix(deps): update kubernetes monorepo to v0.35.4 by @renovate-sh-app[bot] in #2648
chore(deps): update docker.io/grafana/grafana docker tag to v13.0.1 by @renovate-sh-app[bot] in #2654
grouping renovate PRs by @nissessenap in #2640
chore(deps): update dependency postcss to ^8.5.9 by @renovate-sh-app[bot] in #2657
chore(deps): lock file maintenance by @renovate-sh-app[bot] in #2613
fix(deps): update github.com/grafana/grafana-openapi-client-go digest to 5b95bb1 - abandoned by @renovate-sh-app[bot] in #2637
chore(deps): update dependency postcss to ^8.5.10 by @renovate-sh-app[bot] in #2669
chore(deps): update grafana/shared-workflows/get-vault-secrets action to v1.3.2 by @renovate-sh-app[bot] in #2682
chore(deps): update dependency postcss to ^8.5.13 by @renovate-sh-app[bot] in #2685
fix(deps): update module github.com/go-openapi/runtime to v0.29.5 by @renovate-sh-app[bot] in #2687
chore(deps): update dependency kubernetes-sigs/controller-tools to v0.21.0 by @renovate-sh-app[bot] in #2691
fix(deps): update module sigs.k8s.io/controller-runtime to v0.24.1 by @renovate-sh-app[bot] in #2700
fix(deps): update kubernetes monorepo to v0.36.1 by @renovate-sh-app[bot] in #2702
fix(deps): update module github.com/go-openapi/runtime to v0.30.0 by @renovate-sh-app[bot] in #2706

Documentation

chore(docs): remove inaccurate reference to v5.20.0 and and note by @weisdd in #2619
docs: clarify AI policy for first time contributors by @theSuess in #2653
chore: release 5.23.0 by @theSuess in #2713

Other Changes

chore(workflows): deprecate trivy by @weisdd in #2597
chore(Make): Take ENVTEST and ENVTEST_K8S versions from go.mod by @Baarsgaard in #2612
chore(Renovate): Auto update Grafana version everywhere by @Baarsgaard in #2608
chore(Make): Simplify manifests target by @Baarsgaard in #2611
chore(controllers): simplify indexing tests by @weisdd in #2622
chore(controllers): simplify indexing tests 2 by @weisdd in #2624
chore(api): simplify indexing 3 by @weisdd in #2625
chore(go): bump to 1.26.2 by @weisdd in #2633
chore(codeowners): move Edvin to emeritus by @weisdd in #2643
chore(deps): move some dep updates from 2660 by @weisdd in #2672
chore(renovate): ungroup gomod updates by @weisdd in #2671
chore(deps): move remaining dep updates from 2660 and fix related code by @weisdd in #2673
chore(metrics): remove unused metrics by @weisdd in #2683
chore(go): bump to 1.26.3 by @weisdd in #2689
chore(renovate): disable npm manager by @weisdd in #2688
ci: use github-app-token-broker for GH app access by @theSuess in #2707
fix: OLM deployment of operator unable to reconcile Grafana when using kube auth by @ThisIsntTheWay in #2709

New Contributors

@peterbueschel made their first contribution in #2595
@raks-tt made their first contribution in #2661
@ThisIsntTheWay made their first contribution in #2709
@immanuwell made their first contribution in #2704

Full Changelog: grafana/grafana-operator@v5.22.2...v5.23.0

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

….24.0 [security]

renovate · 2026-06-23T18:35:27Z

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

79 additional dependencies were updated
The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.26.1` -> `1.26.3`
`cuelang.org/go`	`v0.7.0` -> `v0.11.0`
`k8s.io/api`	`v0.35.2` -> `v0.36.1`
`k8s.io/apiextensions-apiserver`	`v0.35.2` -> `v0.36.1`
`github.com/alecthomas/kong`	`v1.14.0` -> `v1.15.0`
`github.com/go-openapi/swag/cmdutils`	`v0.24.0` -> `v0.26.0`
`github.com/go-openapi/swag/conv`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/fileutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/jsonname`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/jsonutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/loading`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/mangling`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/netutils`	`v0.24.0` -> `v0.26.0`
`github.com/go-openapi/swag/stringutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/typeutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/yamlutils`	`v0.25.5` -> `v0.26.0`
`cel.dev/expr`	`v0.24.0` -> `v0.25.1`
`cuelabs.dev/go/oci/ociregistry`	`v0.0.0-20231103182354-93e78c079a13` -> `v0.0.0-20251212221603-3adeb8663819`
`github.com/coreos/go-systemd/v22`	`v22.5.0` -> `v22.7.0`
`github.com/emicklei/proto`	`v1.11.2` -> `v1.14.2`
`github.com/go-jose/go-jose/v4`	`v4.1.3` -> `v4.1.4`
`github.com/go-openapi/analysis`	`v0.24.3` -> `v0.25.2`
`github.com/go-openapi/jsonpointer`	`v0.22.5` -> `v0.23.1`
`github.com/go-openapi/jsonreference`	`v0.21.5` -> `v0.21.6`
`github.com/go-openapi/runtime`	`v0.29.3` -> `v0.32.3`
`github.com/go-openapi/spec`	`v0.22.4` -> `v0.22.5`
`github.com/go-openapi/strfmt`	`v0.26.0` -> `v0.26.3`
`github.com/go-openapi/swag`	`v0.24.1` -> `v0.26.0`
`github.com/go-openapi/validate`	`v0.25.2` -> `v0.25.3`
`github.com/go-test/deep`	`v1.1.0` -> `v1.1.1`
`github.com/google/cel-go`	`v0.26.0` -> `v0.26.1`
`github.com/google/gnostic-models`	`v0.7.0` -> `v0.7.1`
`github.com/google/go-jsonnet`	`v0.21.0` -> `v0.22.0`
`github.com/grafana/grafana-openapi-client-go`	`v0.0.0-20251202103709-7ef691d4df1d` -> `v0.0.0-20260430175825-547a3b5a00a5`
`github.com/grpc-ecosystem/grpc-gateway/v2`	`v2.27.3` -> `v2.28.0`
`github.com/klauspost/compress`	`v1.18.2` -> `v1.18.5`
`github.com/pelletier/go-toml/v2`	`v2.2.3` -> `v2.2.4`
`github.com/prometheus/procfs`	`v0.17.0` -> `v0.20.1`
`github.com/protocolbuffers/txtpbfmt`	`v0.0.0-20230412060525-fa9f017c0ded` -> `v0.0.0-20251124094003-fcb97cc64c7b`
`github.com/sirupsen/logrus`	`v1.9.3` -> `v1.9.4`
`github.com/spf13/cobra`	`v1.10.0` -> `v1.10.2`
`github.com/stoewer/go-strcase`	`v1.3.0` -> `v1.3.1`
`go.etcd.io/etcd/api/v3`	`v3.6.4` -> `v3.6.8`
`go.etcd.io/etcd/client/pkg/v3`	`v3.6.4` -> `v3.6.8`
`go.etcd.io/etcd/client/v3`	`v3.6.4` -> `v3.6.8`
`go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc`	`v0.63.0` -> `v0.67.0`
`go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp`	`v0.64.0` -> `v0.67.0`
`go.opentelemetry.io/otel`	`v1.41.0` -> `v1.44.0`
`go.opentelemetry.io/otel/exporters/otlp/otlptrace`	`v1.39.0` -> `v1.43.0`
`go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc`	`v1.36.0` -> `v1.43.0`
`go.opentelemetry.io/otel/metric`	`v1.41.0` -> `v1.44.0`
`go.opentelemetry.io/otel/sdk`	`v1.41.0` -> `v1.44.0`
`go.opentelemetry.io/otel/trace`	`v1.41.0` -> `v1.44.0`
`go.opentelemetry.io/proto/otlp`	`v1.9.0` -> `v1.10.0`
`go.uber.org/zap`	`v1.27.1` -> `v1.28.0`
`go.yaml.in/yaml/v2`	`v2.4.3` -> `v2.4.4`
`golang.org/x/crypto`	`v0.48.0` -> `v0.52.0`
`golang.org/x/exp`	`v0.0.0-20251002181428-27f1f14c8bb9` -> `v0.0.0-20260112195511-716be5621a96`
`golang.org/x/mod`	`v0.32.0` -> `v0.35.0`
`golang.org/x/net`	`v0.51.0` -> `v0.55.0`
`golang.org/x/oauth2`	`v0.34.0` -> `v0.36.0`
`golang.org/x/sync`	`v0.19.0` -> `v0.20.0`
`golang.org/x/sys`	`v0.41.0` -> `v0.45.0`
`golang.org/x/term`	`v0.40.0` -> `v0.43.0`
`golang.org/x/text`	`v0.34.0` -> `v0.37.0`
`golang.org/x/time`	`v0.14.0` -> `v0.15.0`
`golang.org/x/tools`	`v0.41.0` -> `v0.44.0`
`gomodules.xyz/jsonpatch/v2`	`v2.4.0` -> `v2.5.0`
`google.golang.org/genproto/googleapis/api`	`v0.0.0-20251202230838-ff82c1b0f217` -> `v0.0.0-20260401024825-9d38bb4040a9`
`google.golang.org/genproto/googleapis/rpc`	`v0.0.0-20251202230838-ff82c1b0f217` -> `v0.0.0-20260406210006-6f92a3bedf2d`
`google.golang.org/grpc`	`v1.78.0` -> `v1.80.0`
`google.golang.org/protobuf`	`v1.36.11` -> `v1.36.12-0.20260120151049-f2248ac996af`
`k8s.io/apimachinery`	`v0.35.2` -> `v0.36.1`
`k8s.io/apiserver`	`v0.35.0` -> `v0.36.0`
`k8s.io/component-base`	`v0.35.0` -> `v0.36.0`
`k8s.io/kms`	`v0.34.0` -> `v0.36.0`
`k8s.io/utils`	`v0.0.0-20260108192941-914a6e750570` -> `v0.0.0-20260210185600-b8788abfbbc2`
`sigs.k8s.io/apiserver-network-proxy/konnectivity-client`	`v0.31.2` -> `v0.34.0`
`sigs.k8s.io/controller-runtime`	`v0.23.3` -> `v0.24.1`
`sigs.k8s.io/structured-merge-diff/v6`	`v6.3.2` -> `v6.4.0`

fix(deps): update module github.com/grafana/grafana-operator/v5 to v5…

4528611

….24.0 [security]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update module github.com/grafana/grafana-operator/v5 to v5.24.0 [security]#614

fix(deps): update module github.com/grafana/grafana-operator/v5 to v5.24.0 [security]#614
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.qkg1.top-grafana-grafana-operator-v5-vulnerability

renovate Bot commented Jun 23, 2026

Uh oh!

renovate Bot commented Jun 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Jun 23, 2026

Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName

Details

Summary

Impact

Affected versions

Solutions and mitigations

Acknowledgement

Severity

References

Release Notes

v5.24.0

Upgrade instructions

Using Helm

Using kubectl

Using kustomize

Using OLM

What's Changed

Features

Fixes

Dependencies

Other Changes

New Contributors

v5.23.0

Upgrade instructions

Using Helm

Using kubectl

Using kustomize

Using OLM

What's Changed

Features

Fixes

Dependencies

Documentation

Other Changes

New Contributors

Configuration

Uh oh!

renovate Bot commented Jun 23, 2026

ℹ️ Artifact update notice

File name: go.mod

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

`v5.24.0`

`v5.23.0`