OPENSUSE-SU-2026:21351-1
Vulnerability from csaf_opensuse - Published: 2026-07-14 09:22 - Updated: 2026-07-14 09:22Summary
Security update for grafana
Severity
Moderate
Notes
Title of the patch: Security update for grafana
Description of the patch: This update for grafana fixes the following issues:
Changes in grafana:
- Add UI web assets as additional source tarball
- Update to version 12.4.5 (jsc#PED-16512):
* Datasources: return 400 when payload UID does not match URL UID
in PUT /api/datasources/uid/:uid
- Update to version 12.4.4:
* Security and quality updates.
* Various bug fixes and enhancements.
- Update to version 12.4.3:
* Analytics: Keep internal dashboard id.
* Go: Update to 1.25.9.
* Reporting: Correctly apply appSubURL to report settings
requests.
* Alerting: Document Grafana HA Alertmanager cluster metrics
prefix change.
- Update to version 12.4.2:
* Various bug fixes and performance improvements.
* Dependency updates to core plugins and UI libraries.
- Update to version 12.4.1:
* Bug fixes and minor quality-of-life enhancements.
* Updates to data source provisioning and dashboard schemas.
- Update to version 12.4.0:
* Introduced dynamic dashboards in public preview.
* Added a new side toolbar that replaces the second top toolbar
to provide additional vertical space.
* Added the ability to create dashboards from templates using
sample data.
* Revamped the gauge visualization with rounded bars,
configurable bar thickness, and endpoint markers.
* Added support to map one variable to multiple values.
* CVE-2025-12141: Fixed information leakage in Grafana Alerting
(bsc#1262187)
- Update to version 12.3.0:
* Released a completely redesigned logs visualization.
* Added the ability to export dashboards directly as PNG images.
* Introduced an interactive learning experience within the
Grafana UI.
* Added a Switch template variable type to quickly toggle between
values in queries.
* Added functionality to style table cells using CSS properties
via the field cell option.
- Update to version 12.2.0:
* Routine feature enhancements, minor bug fixes, and security
patches.
- Update to version 12.1.0:
* Added support for Entra Workload Identity to enhance
authentication capabilities with federated credentials.
* Redesigned the alert rule list page.
* Renamed Mute Timings to Active Time Intervals in Grafana
Alerting.
* Added support for Service Account Impersonation in the BigQuery
data source.
* Introduced the Grafana Advisor in public preview.
- Update to version 12.0.0:
* BREAKING: Removed AngularJS and all deprecated UI Extensions
APIs.
* BREAKING: Enforced stricter version compatibility checks in
plugin CLI install commands.
* BREAKING: Enabled the failWrongDSUID feature flag by default,
which rejects data sources with incorrect UIDs.
* MIGRATION: Triggered a full-table rewrite for the annotation
table, which may temporarily increase disk usage.
* Introduced a new dashboard schema to replace the original
single grid layout.
- CVE-2026-41607: Fix potential information disclosure in Apache
Thrift (bsc#1263272)
Patchnames: openSUSE-Leap-16.0-packagehub-416
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for grafana",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for grafana fixes the following issues:\n\nChanges in grafana:\n\n- Add UI web assets as additional source tarball\n\n- Update to version 12.4.5 (jsc#PED-16512):\n * Datasources: return 400 when payload UID does not match URL UID\n in PUT /api/datasources/uid/:uid\n\n- Update to version 12.4.4:\n * Security and quality updates.\n * Various bug fixes and enhancements.\n\n- Update to version 12.4.3:\n * Analytics: Keep internal dashboard id.\n * Go: Update to 1.25.9.\n * Reporting: Correctly apply appSubURL to report settings\n requests.\n * Alerting: Document Grafana HA Alertmanager cluster metrics\n prefix change.\n\n- Update to version 12.4.2:\n * Various bug fixes and performance improvements.\n * Dependency updates to core plugins and UI libraries.\n\n- Update to version 12.4.1:\n * Bug fixes and minor quality-of-life enhancements.\n * Updates to data source provisioning and dashboard schemas.\n\n- Update to version 12.4.0:\n * Introduced dynamic dashboards in public preview.\n * Added a new side toolbar that replaces the second top toolbar\n to provide additional vertical space.\n * Added the ability to create dashboards from templates using\n sample data.\n * Revamped the gauge visualization with rounded bars,\n configurable bar thickness, and endpoint markers.\n * Added support to map one variable to multiple values.\n * CVE-2025-12141: Fixed information leakage in Grafana Alerting\n (bsc#1262187)\n\n- Update to version 12.3.0:\n * Released a completely redesigned logs visualization.\n * Added the ability to export dashboards directly as PNG images.\n * Introduced an interactive learning experience within the\n Grafana UI.\n * Added a Switch template variable type to quickly toggle between\n values in queries.\n * Added functionality to style table cells using CSS properties\n via the field cell option.\n\n- Update to version 12.2.0:\n * Routine feature enhancements, minor bug fixes, and security\n patches.\n\n- Update to version 12.1.0:\n * Added support for Entra Workload Identity to enhance\n authentication capabilities with federated credentials.\n * Redesigned the alert rule list page.\n * Renamed Mute Timings to Active Time Intervals in Grafana\n Alerting.\n * Added support for Service Account Impersonation in the BigQuery\n data source.\n * Introduced the Grafana Advisor in public preview.\n\n- Update to version 12.0.0:\n * BREAKING: Removed AngularJS and all deprecated UI Extensions\n APIs.\n * BREAKING: Enforced stricter version compatibility checks in\n plugin CLI install commands.\n * BREAKING: Enabled the failWrongDSUID feature flag by default,\n which rejects data sources with incorrect UIDs.\n * MIGRATION: Triggered a full-table rewrite for the annotation\n table, which may temporarily increase disk usage.\n * Introduced a new dashboard schema to replace the original\n single grid layout.\n\n- CVE-2026-41607: Fix potential information disclosure in Apache\n Thrift (bsc#1263272)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-416",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_21351-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1262187",
"url": "https://bugzilla.suse.com/1262187"
},
{
"category": "self",
"summary": "SUSE Bug 1263272",
"url": "https://bugzilla.suse.com/1263272"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-12141 page",
"url": "https://www.suse.com/security/cve/CVE-2025-12141/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21725 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21725/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41607 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41607/"
}
],
"title": "Security update for grafana",
"tracking": {
"current_release_date": "2026-07-14T09:22:23Z",
"generator": {
"date": "2026-07-14T09:22:23Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:21351-1",
"initial_release_date": "2026-07-14T09:22:23Z",
"revision_history": [
{
"date": "2026-07-14T09:22:23Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-12.4.5-bp160.1.1.aarch64",
"product": {
"name": "grafana-12.4.5-bp160.1.1.aarch64",
"product_id": "grafana-12.4.5-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-12.4.5-bp160.1.1.ppc64le",
"product": {
"name": "grafana-12.4.5-bp160.1.1.ppc64le",
"product_id": "grafana-12.4.5-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-12.4.5-bp160.1.1.s390x",
"product": {
"name": "grafana-12.4.5-bp160.1.1.s390x",
"product_id": "grafana-12.4.5-bp160.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-12.4.5-bp160.1.1.x86_64",
"product": {
"name": "grafana-12.4.5-bp160.1.1.x86_64",
"product_id": "grafana-12.4.5-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-12.4.5-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64"
},
"product_reference": "grafana-12.4.5-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-12.4.5-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le"
},
"product_reference": "grafana-12.4.5-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-12.4.5-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x"
},
"product_reference": "grafana-12.4.5-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-12.4.5-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64"
},
"product_reference": "grafana-12.4.5-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-12141",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-12141"
}
],
"notes": [
{
"category": "general",
"text": "In Grafana\u0027s alerting system, users with edit permissions for a contact point, specifically the permissions \u201calert.notifications:write\u201d or \u201calert.notifications.receivers:test\u201d that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-12141",
"url": "https://www.suse.com/security/cve/CVE-2025-12141"
},
{
"category": "external",
"summary": "SUSE Bug 1262187 for CVE-2025-12141",
"url": "https://bugzilla.suse.com/1262187"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T09:22:23Z",
"details": "moderate"
}
],
"title": "CVE-2025-12141"
},
{
"cve": "CVE-2026-21725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21725"
}
],
"notes": [
{
"category": "general",
"text": "A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.\n\nThis requires several very stringent conditions to be met:\n\n- The attacker must have admin access to the specific datasource prior to its first deletion.\n- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.\n- The attacker must delete the datasource, then someone must recreate it.\n- The new datasource must not have the attacker as an admin.\n- The new datasource must have the same UID as the prior datasource. These are randomised by default.\n- The datasource can now be re-deleted by the attacker.\n- Once 30 seconds are up, the attack is spent and cannot be repeated.\n- No datasource with any other UID can be attacked.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21725",
"url": "https://www.suse.com/security/cve/CVE-2026-21725"
},
{
"category": "external",
"summary": "SUSE Bug 1258873 for CVE-2026-21725",
"url": "https://bugzilla.suse.com/1258873"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T09:22:23Z",
"details": "low"
}
],
"title": "CVE-2026-21725"
},
{
"cve": "CVE-2026-41607",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41607"
}
],
"notes": [
{
"category": "general",
"text": "Out-of-bounds Read vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41607",
"url": "https://www.suse.com/security/cve/CVE-2026-41607"
},
{
"category": "external",
"summary": "SUSE Bug 1263256 for CVE-2026-41607",
"url": "https://bugzilla.suse.com/1263256"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.s390x",
"openSUSE Leap 16.0:grafana-12.4.5-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T09:22:23Z",
"details": "moderate"
}
],
"title": "CVE-2026-41607"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…