Skip to content

chore: [#434] upgrade Grafana to 13.0.0 and document CVE-2026-34986 analysis#453

Merged
josecelano merged 4 commits intomainfrom
434-grafana-cves
Apr 14, 2026
Merged

chore: [#434] upgrade Grafana to 13.0.0 and document CVE-2026-34986 analysis#453
josecelano merged 4 commits intomainfrom
434-grafana-cves

Conversation

@josecelano
Copy link
Copy Markdown
Member

@josecelano josecelano commented Apr 14, 2026

Summary

Upgrades Grafana from 12.4.213.0.0 to eliminate CVE-2026-34986, an unauthenticated remote DoS (CVSS 7.5, AV:N/AC:L/PR:N/UI:N) that affects our public-facing Grafana endpoint.

Background

A full re-scan of grafana/grafana:12.4.2 with an updated Trivy DB revealed 13 HIGH CVEs instead of the 4 originally found. Among them, CVE-2026-34986 (go-jose/go-jose/v4 < 4.1.4) allows an attacker to crash Grafana by sending a crafted JWE bearer token to any HTTP endpoint — no credentials required.

Grafana fixed this in grafana/grafana#121830 with a no-backport label, so no 12.x patch will be issued. grafana/grafana:13.0.0 was released on 2026-04-11 and ships go-jose/v4 4.1.4.

Version comparison

Version HIGH CRITICAL CVE-2026-34986 (remote DoS)
12.4.2 13 0 present
13.0.0 10 0 absent

Files changed

File Change
src/domain/grafana/config.rs Bump GRAFANA_DOCKER_IMAGE_TAG 12.4.213.0.0
src/infrastructure/.../context/grafana.rs Fix stale version in doc comment
docs/issues/434-grafana-cves.md Full analysis, PoC, mitigation options, 13.0.0 scan results
docs/security/docker/scans/grafana.md Updated scan history with 13.0.0 entry
.github/workflows/docker-security-scan.yml Update example comment to 13.0.0
project-words.txt New security-related words for cspell

Validation

  • All linters pass: cargo run --bin linter all

Closes #434

@josecelano josecelano self-assigned this Apr 14, 2026
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 14, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@josecelano josecelano mentioned this pull request Apr 14, 2026
Open
@josecelano
Copy link
Copy Markdown
Member Author

josecelano commented Apr 14, 2026

ACK b1cda31

@josecelano josecelano merged commit 95a063f into main Apr 14, 2026
44 checks passed
josecelano added a commit that referenced this pull request Apr 15, 2026
@josecelano
chore: remove closed issue documentation files
87c3d29 
Removed 5 closed issue documentation files from docs/issues/:
- #431: backup-cves (PR #457 merged)
- #433: prometheus-cves (PR #454 merged)
- #434: grafana-cves (PR #453 merged)
- #435: mysql-cves (PR #456 merged)
- #444: rand-0.9.2-rustsec (closed)

Remaining open issues: #413, #429, #432, #443
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@josecelano josecelano

Labels

dependencies security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Investigate unresolved Grafana CVEs after upgrade to 12.4.2

2 participants

@josecelano @github-advanced-security