Red Hat Product Security issued an advisory for Grafana on Red Hat Enterprise Linux 9 addressing two vulnerabilities: CVE-2026-32282, where golang's internal syscall unix Root.Chmod function can follow symbolic links outside the intended root directory, potentially leading to unauthorized file permission changes; and CVE-2026-32283, a denial of service vulnerability in Go's crypto/tls package caused by processing multiple TLS 1.3 key update messages. The advisory includes updated Grafana packages (version 10.2.6-21.el9_7) for multiple architectures and variants of Red Hat Enterprise Linux 9. No CVSS scores are provided in the advisory, but the issues are rated as having an important security impact. No known exploits in the wild have been reported. The vendor advisory provides detailed instructions and package links for applying the update.

The first vulnerability (CVE-2026-32282) could allow unauthorized changes to file permissions by following symlinks outside the root directory, potentially leading to privilege escalation or unauthorized file modifications. The second vulnerability (CVE-2026-32283) could cause a denial of service condition in the TLS 1.3 implementation, disrupting secure communications. Both vulnerabilities affect Grafana packages distributed with Red Hat Enterprise Linux 9. No known active exploitation has been reported. The overall security impact is rated as high by Red Hat Product Security.

Red Hat has released updated Grafana packages for Red Hat Enterprise Linux 9 that address these vulnerabilities. Users should apply the official Red Hat update (grafana-10.2.6-21.el9_7) as soon as possible to remediate these issues. Detailed update instructions and package downloads are available in the Red Hat advisory RHSA-2026:11711 at https://access.redhat.com/errata/RHSA-2026:11711. Since this is not a cloud service, remediation requires manual update by system administrators. Patch status is confirmed as available via the vendor advisory.