Security update for grafana

Announcement ID:	SUSE-SU-2026:1037-1
Release Date:	2026-03-25T10:31:13Z
Rating:	important
References:	bsc#1245302 bsc#1255340 bsc#1257337 bsc#1257349 bsc#1258136 jsc#MSQA-1045
Cross-References:	CVE-2025-3415 CVE-2025-68156 CVE-2026-21720 CVE-2026-21721 CVE-2026-21722
CVSS scores:	CVE-2025-3415 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-3415 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2025-3415 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2025-68156 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-68156 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-68156 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-21720 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-21720 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-21721 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2026-21721 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2026-21721 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2026-21722 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-21722 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-21722 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products:	openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Package Hub 15 15-SP7

An update that solves five vulnerabilities and contains one feature can now be installed.

Description:

This update for grafana fixes the following issues:

• Security issues fixed:

• CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136)

• CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337)
• CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
• CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340)

• CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)

• Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes:

• Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and removed blurred backgrounds from UI overlays to speed up the interface.

• One-Click Actions: Visualizations now support faster navigation via one-click links and actions.
• Alerting History: Added version history for alert rules, allowing you to track changes over time.
• Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup.
• Cron Support: Annotations now support Cron syntax for more flexible scheduling.
• Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues when Grafana is hosted on a subpath.
• Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting.
• Alerting Limits: Added size limits for expanded notification templates to prevent system strain.
• RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field.
• Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated rows or nested queries.
• Dashboard Reliability: Resolved bugs involving row repeats and "self-referencing" data links.
• Alerting Fixes: Patched a critical "panic" (crash) caused by a race condition in alert rules and fixed issues where contact points weren't working correctly.
• URL Handling: Fixed a bug where "true" values in URL parameters weren't being read correctly

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2026-1037=1
• SUSE Package Hub 15 15-SP7
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-1037=1

Package List:

• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • grafana-debuginfo-11.6.11-150200.3.83.1
  • grafana-11.6.11-150200.3.83.1
• SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
  • grafana-debuginfo-11.6.11-150200.3.83.1
  • grafana-11.6.11-150200.3.83.1

References:

• https://www.suse.com/security/cve/CVE-2025-3415.html
• https://www.suse.com/security/cve/CVE-2025-68156.html
• https://www.suse.com/security/cve/CVE-2026-21720.html
• https://www.suse.com/security/cve/CVE-2026-21721.html
• https://www.suse.com/security/cve/CVE-2026-21722.html
• https://bugzilla.suse.com/show_bug.cgi?id=1245302
• https://bugzilla.suse.com/show_bug.cgi?id=1255340
• https://bugzilla.suse.com/show_bug.cgi?id=1257337
• https://bugzilla.suse.com/show_bug.cgi?id=1257349
• https://bugzilla.suse.com/show_bug.cgi?id=1258136
• https://jira.suse.com/browse/MSQA-1045