Summary
The demo server (grafana.torrust-tracker-demo.com) is running
grafana/grafana:12.4.2, which contains CVE-2026-34986 in its bundled
go-jose/go-jose/v4 4.1.3 dependency. The fix ships in grafana/grafana:13.0.0
(released 2026-04-11).
torrust/torrust-tracker-deployer PR #453
updates the deployer's default Grafana image to 13.0.0 for future deployments,
but the already-running demo server must be updated separately by pulling the new
image and restarting the container.
| Field |
Value |
| Advisory |
GHSA-78h2-9frx-2jm8 |
| CVSS |
7.5 High — AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Package |
go-jose/go-jose/v4 < 4.1.4 (bundled in Grafana binary) |
| Fix |
go-jose/v4 4.1.4, shipped in grafana/grafana:13.0.0 via grafana/grafana#121830 |
| Backport |
no-backport — no fix for any 12.x version |
The vulnerability allows a crafted JWE bearer token to panic the go-jose parser and
crash the Grafana process. In practice, testing against the live demo on 2026-04-14
showed that Grafana's default API-key auth handler intercepted the request before
go-jose was called, so the simple bearer-token attack path was not confirmed
exploitable on this deployment. The upgrade is still recommended as defence in depth.
Version comparison
| Version |
HIGH |
CRITICAL |
CVE-2026-34986 |
12.4.2 |
13 |
0 |
present |
13.0.0 |
10 |
0 |
absent ✅ |
Steps to upgrade on the demo server
SSH into the demo server and run:
cd /opt/torrust
docker compose pull grafana
docker compose up -d grafana
docker compose ps grafana
Verify the new version:
docker inspect grafana --format '{{.Config.Image}}'
# Expected: grafana/grafana:13.0.0Check Grafana is healthy:
curl -s https://grafana.torrust-tracker-demo.com/api/health | jq .
# Expected: {"database":"ok","version":"13.0.0",...}References
Summary
The demo server (
grafana.torrust-tracker-demo.com) is runninggrafana/grafana:12.4.2, which contains CVE-2026-34986 in its bundledgo-jose/go-jose/v4 4.1.3dependency. The fix ships ingrafana/grafana:13.0.0(released 2026-04-11).
torrust/torrust-tracker-deployerPR #453updates the deployer's default Grafana image to
13.0.0for future deployments,but the already-running demo server must be updated separately by pulling the new
image and restarting the container.
Background — CVE-2026-34986
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:Hgo-jose/go-jose/v4 < 4.1.4(bundled in Grafana binary)go-jose/v4 4.1.4, shipped ingrafana/grafana:13.0.0via grafana/grafana#121830no-backport— no fix for any 12.x versionThe vulnerability allows a crafted JWE bearer token to panic the go-jose parser and
crash the Grafana process. In practice, testing against the live demo on 2026-04-14
showed that Grafana's default API-key auth handler intercepted the request before
go-jose was called, so the simple bearer-token attack path was not confirmed
exploitable on this deployment. The upgrade is still recommended as defence in depth.
Version comparison
12.4.213.0.0Steps to upgrade on the demo server
SSH into the demo server and run:
cd /opt/torrust docker compose pull grafana docker compose up -d grafana docker compose ps grafanaVerify the new version:
Check Grafana is healthy:
References