LoginSign Up
← Back to all sparks
Grafana logo

Grafana

DEVOPSINFRA · APIS
Velocity5.0

Monitoring dashboards

grafana.com

Grafana ships a coordinated multi-branch security wave on top of the v13 release.

security-patchescve-disclosurelts-backportsdashboardslogs-uxobservability
Current state
The recent timeline is dominated by security work: a synchronized May 12 release of patched builds across five supported lines (11.6, 12.2, 12.3, 12.4, 13.0) covering the same ten CVEs, plus a June 2 follow-on patch for 13.0.2 addressing a fresh batch including a Loki path-traversal and a Geomap URL sanitization fix. Underneath that, v13.0 itself shipped in April with bundled-datasource dashboards, the redesigned logs panel from v12.3, and the dynamic-dashboard automation from v12.4.
Where it's heading
Grafana is operating a mature CNA-style disclosure pipeline — vendor-acknowledgement timestamps in patch notes suggest a private partner channel and synchronized backports. The product direction itself is consolidating around dashboard automation, logs UX, and easier onboarding. The two streams (feature shipping and security cadence) run in parallel without slowing each other.
Prediction
Expect 13.0.x patch releases at roughly monthly cadence as more partner-acknowledged vulns land, alongside continued investment in dashboard templating and the logs/traces explorers that v12.3 and v12.4 set up.

Recent moves

  1. 25d ago

    13.0.2 security patch: Geomap URL, body-size cap, Loki path traversal

    A 13.0.2 patch release bundling four newly disclosed vulns — Geomap URL sanitization, request body size capping, and a Loki path-traversal — each with partner-acknowledgement timestamps from late April. Fits the cadence of disciplined post-v13 security maintenance.

    View source ↗
  2. 1mo ago

    12.3.6 security patch (10 CVEs + Alertmanager fix)

    12.3.6+security-04 ships the same ten-CVE batch landed across all supported branches on May 12, plus an Alertmanager autogenerated-receivers fix. Part of the coordinated multi-line security release that defines the period.

    View source ↗
  3. 1mo ago

    12.4.3 security patch (10 CVE backports)

    12.4.3+security-02 carries the same ten-CVE backport set as the other branches in the May 12 wave. Confirms Grafana is maintaining synchronized security parity across all currently supported lines.

    View source ↗
  4. 1mo ago

    12.2.8 security patch (10 CVE backports to 12.2 LTS)

    12.2.8+security-04 extends the May 12 ten-CVE batch back to the 12.2 line. The willingness to keep patching 12.2 alongside 13.0 signals a meaningful LTS commitment to operators who can't move fast.

    View source ↗
  5. 1mo ago

    11.6.14 security patch (10 CVE backports to 11.6 LTS)

    11.6.14+security-04 backports the same ten-CVE batch as far as the 11.6 line, the oldest in the May 12 wave. Useful for users who haven't moved off 11.x; reinforces the long-tail support story.

    View source ↗
  6. 1mo ago

    13.0.1 security patch (10 CVEs on current major)

    13.0.1+security-01 carries the same ten-CVE batch on the current major. Together with the other four branches in the May 12 wave, it shows the disclosure team's pipeline working as designed.

    View source ↗