CVE-2026-9029 in OSS
Summary
by MITRE • 06/22/2026
The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/22/2026
The vulnerability resides in the geomap panel's XYZ tile layer implementation within Grafana's visualization framework, specifically demonstrating a critical sanitization order flaw that enables persistent cross-site scripting attacks. This issue represents a regression that circumvents the previously implemented CVE-2023-0507 security fix, exposing organizations to potential exploitation through dashboard configurations that allow editor-level users to inject malicious payloads. The core technical flaw manifests when the sanitizeTextPanelContent() function processes raw template strings before variable substitution occurs through getTemplateSrv().replace(), creating a window where glob format variables containing unescaped HTML content can be executed directly within the OpenLayers rendering context.
The operational impact of this vulnerability extends beyond simple XSS execution as it leverages the privilege escalation inherent in dashboard editor permissions, allowing malicious actors with edit access to craft payloads that execute automatically for every user who views the compromised dashboard. This creates a persistent threat vector where a single compromised dashboard can serve as an attack vector across an entire organization, with the malicious code executing in the context of each user's browser session and potentially accessing sensitive data or performing unauthorized actions. The vulnerability operates through the element.innerHTML assignment pathway, which bypasses standard DOM sanitization mechanisms by directly injecting processed template content without proper HTML escaping.
This flaw aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation, specifically manifesting as a case where output encoding occurs in the wrong order relative to input processing. The vulnerability also maps to ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, as it enables attackers to create malicious dashboard configurations that can be distributed through legitimate administrative channels. Organizations using Grafana versions affected by this vulnerability face significant risk of credential theft, data exfiltration, and privilege escalation attacks, particularly in environments where dashboard editors have broad permissions or where dashboards are shared across multiple user groups.
The security implications extend beyond immediate code execution as the vulnerability demonstrates poor input validation and output encoding practices that violate fundamental web security principles. The sanitization order bug creates a scenario where content that should be treated as safe configuration data becomes executable code, representing a failure in the defense-in-depth approach typically employed in modern web applications. This particular vulnerability underscores the importance of maintaining consistent security boundaries between different processing phases and highlights how seemingly minor changes to sanitization order can create significant security regressions that affect enterprise deployments.
Mitigation strategies should focus on implementing proper variable escaping before template substitution occurs, ensuring that all user-provided content undergoes appropriate HTML encoding regardless of its intended use within the application context. Organizations should immediately restrict dashboard editing permissions where possible and implement additional monitoring for suspicious dashboard modifications. The fix requires a complete review of the sanitization pipeline to ensure that output escaping occurs after variable substitution but before content is rendered in browser contexts, preventing the bypass of security controls that previously protected against similar vulnerabilities.