This release includes 10 security fixes for security teams reviewing exposed deployments.
Topics
+7 more
ReleasePort's take
Moderate signalGrafana v12.3.6+security-04 resolves CVE-2026-28374 and corrects an Alertmanager config update bug.
Why it matters: Patch to v12.3.6+security-04 immediately because it fixes CVE-2026-28374, which has a severity score of 50.
Summary
AI summaryCVE-2026-28374 security vulnerability fixed.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Addresses CVE-2026-28374 Addresses CVE-2026-28374 Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Security | Medium |
Fixes CVE-2026-28374 Fixes CVE-2026-28374 Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Fixes error when updating Alertmanager config with autogenerated receivers Fixes error when updating Alertmanager config with autogenerated receivers Source: llm_adapter@2026-05-21 Confidence: high |
— |
Full changelog
Download page
What's new highlights
Bug fixes
- Alerting: Fix error when updating Alertmanager config with autogenerated receivers #113712, @moustafab
- Security: CVE-2026-28374
- Security: CVE-2026-28376
- Security: CVE-2026-28383
- Security: CVE-2026-28380
- Security: CVE-2026-33376
- Security: CVE-2026-28379
- Security: CVE-2026-33377
- Security: CVE-2026-33378
- Security: CVE-2026-33381
- Security: CVE-2026-33380
Security Fixes
- CVE-2026-28374
- CVE-2026-28376
- CVE-2026-28383
- CVE-2026-28380
- CVE-2026-33376
- CVE-2026-28379
- CVE-2026-33377
- CVE-2026-33378
- CVE-2026-33381
- CVE-2026-33380
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About grafana
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
Beta — feedback welcome: [email protected]