A vulnerability in Grafana (CVE-2026-25679, CVSS 7.5 HIGH) stems from an incorrect parsing flaw for IPv6 host literals within the net/url library, which could potentially be exploited to manipulate URL parsing. The Red Hat Security Advisory RHSA-2026:8849 provides an important update to address this issue for Grafana on Red Hat Enterprise Linux 10.0 Extended Update Support. The fix is contained within the updated package version grafana-10.2.6-22.el10_0.
Red Hat Product Errata RHSA-2026:8849 - Security Advisory Issued: 2026-04-20 Updated: 2026-04-20 RHSA-2026:8849 - Security Advisory Overview Updated Packages Synopsis Important: grafana security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for grafana is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es): net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url CVEs CVE-2026-25679 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM grafana-10.2.6-22.el10_0.src.rpm SHA-256: a5a5be311f09d7aa62e91b647ddfb7f32fb6a2e807ceb53ddfc81a3989d1b83e x86_64 grafana-10.2.6-22.el10_0.x86_64.rpm SHA-256: 26b9b53614f8e08fa37f69c40abfef716eb62a7fd65ad07d6d4635ccaea80411 grafana-debuginfo-10.2.6-22.el10_0.x86_64.rpm SHA-256: 5c3a91536e7b7dc65581bb85e674841f257dd91e175ea58cd75701f16eedfc7f grafana-debugsource-10.2.6-22.el10_0.x86_64.rpm SHA-256: 59c9852f2b130d0dc7c93cb11b9bf7d51f106f8cee8665dab8881d2687e66535 grafana-selinux-10.2.6-22.el10_0.x86_64.rpm SHA-256: 4386972ef7a98db4817cfd1af3eeb420c4dfffba5b6fd2cf6161eb7cc5ee451b Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM grafana-10.2.6-22.el10_0.src.rpm SHA-256: a5a5be311f09d7aa62e91b647ddfb7f32fb6a2e807ceb53ddfc81a3989d1b83e s390x grafana-10.2.6-22.el10_0.s390x.rpm SHA-256: 5d09c7239ea266b381200cd9d8704514e9488d73968de24f0e2be4d2cb7ae642 grafana-debuginfo-10.2.6-22.el10_0.s390x.rpm SHA-256: 2e8f9daaa6cdb5e495a763bd175f5c1421d6694c644c93bf0d326e353871b626 grafana-debugsource-10.2.6-22.el10_0.s390x.rpm SHA-256: cb694c83987dda3253343b6f4dbe7777fc91046c04313a509275ef7e8325509f grafana-selinux-10.2.6-22.el10_0.s390x.rpm SHA-256: 05939ba047bb8765874183498cd30486031a6d0241b0f3260f4a29b3e3bab12c Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM grafana-10.2.6-22.el10_0.src.rpm SHA-256: a5a5be311f09d7aa62e91b647ddfb7f32fb6a2e807ceb53ddfc81a3989d1b83e ppc64le grafana-10.2.6-22.el10_0.ppc64le.rpm SHA-256: 44c5395e605543b53290ceb4ceaab66f3029c614b0a43fa36f155fe66d65ebd0 grafana-debuginfo-10.2.6-22.el10_0.ppc64le.rpm SHA-256: c14ecb5943201ed0a097fc6ee11ae9d7f4935fa46ed06ce7779958b9b17a19cc grafana-debugsource-10.2.6-22.el10_0.ppc64le.rpm SHA-256: 34576463b75a217fbf45ed5367027cf21164bd82f40bc9913df307e2bb4b1fe8 grafana-selinux-10.2.6-22.el10_0.ppc64le.rpm SHA-256: a889cbeba1415964c5a509139bf85ecae6630978f148c025247f3251bbf72fb9 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 SRPM grafana-10.2.6-22.el10_0.src.rpm SHA-256: a5a5be311f09d7aa62e91b647ddfb7f32fb6a2e807ceb53ddfc81a3989d1b83e aarch64 grafana-10.2.6-22.el10_0.aarch64.rpm SHA-256: 0e97e90008749e9041cc6b3b9414c8d48987afc97ef734770b71cc7fd4362cd3 grafana-debuginfo-10.2.6-22.el10_0.aarch64.rpm SHA-256: 38c03c4e73495dbaf26762884e8623018a6066fec82602ec96abfe703631b832 grafana-debugsource-10.2.6-22.el10_0.aarch64.rpm SHA-256: 29353deb8d4cd4b3a091c858fc633bbc4843cfc044757403a8870c1f589b4208 grafana-selinux-10.2.6-22.el10_0.aarch64.rpm SHA-256: af8e8878ccc0d1d31a0e9a9b327320ded62e48e5ef553f7f052969e3cd6cf530 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 SRPM grafana-10.2.6-22.el10_0.src.rpm SHA-256: a5a5be311f09d7aa62e91b647ddfb7f32fb6a2e807ceb53ddfc81a3989d1b83e aarch64 grafana-10.2.6-22.el10_0.aarch64.rpm SHA-256: 0e97e90008749e9041cc6b3b9414c8d48987afc97ef734770b71cc7fd4362cd3 grafana-debuginfo-10.2.6-22.el10_0.aarch64.rpm SHA-256: 38c03c4e73495dbaf26762884e8623018a6066fec82602ec96abfe703631b832 grafana-debugsource-10.2.6-22.el10_0.aarch64.rpm SHA-256: 29353deb8d4cd4b3a091c858fc633bbc4843cfc044757403a8870c1f589b4208 grafana-selinux-10.2.6-22.el10_0.aarch64.rpm SHA-256: af8e8878ccc0d1d31a0e9a9b327320ded62e48e5ef553f7f052969e3cd6cf530 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 SRPM grafana-10.2.6-22.el10_0.src.rpm SHA-256: a5a5be311f09d7aa62e91b647ddfb7f32fb6a2e807ceb53ddfc81a3989d1b83e s390x grafana-10.2.6-22.el10_0.s390x.rpm SHA-256: 5d09c7239ea266b381200cd9d8704514e9488d73968de24f0e2be4d2cb7ae642 grafana-debuginfo-10.2.6-22.el10_0.s390x.rpm SHA-256: 2e8f9daaa6cdb5e495a763bd175f5c1421d6694c644c93bf0d326e353871b626 grafana-debugsource-10.2.6-22.el10_0.s390x.rpm SHA-256: cb694c83987dda3253343b6f4dbe7777fc91046c04313a509275ef7e8325509f grafana-selinux-10.2.6-22.el10_0.s390x.rpm SHA-256: 05939ba047bb8765874183498cd30486031a6d0241b0f3260f4a29b3e3bab12c Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 SRPM grafana-10.2.6-22.el10_0.src.rpm SHA-256: a5a5be311f09d7aa62e91b647ddfb7f32fb6a2e807ceb53ddfc81a3989d1b83e ppc64le grafana-10.2.6-22.el10_0.ppc64le.rpm SHA-256: 44c5395e605543b53290ceb4ceaab66f3029c614b0a43fa36f155fe66d65ebd0 grafana-debuginfo-10.2.6-22.el10_0.ppc64le.rpm SHA-256: c14ecb5943201ed0a097fc6ee11ae9d7f4935fa46ed06ce7779958b9b17a19cc grafana-debugsource-10.2.6-22.el10_0.ppc64le.rpm SHA-256: 34576463b75a217fbf45ed5367027cf21164bd82f40bc9913df307e2bb4b1fe8 grafana-selinux-10.2.6-22.el10_0.ppc64le.rpm SHA-256: a889cbeba1415964c5a509139bf85ecae6630978f148c025247f3251bbf72fb9 Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 SRPM grafana-10.2.6-22.el10_0.src.rpm SHA-256: a5a5be311f09d7aa62e91b647ddfb7f32fb6a2e807ceb53ddfc81a3989d1b83e x86_64 grafana-10.2.6-22.el10_0.x86_64.rpm SHA-256: 26b9b53614f8e08fa37f69c40abfef716eb62a7fd65ad07d6d4635ccaea80411 grafana-debuginfo-10.2.6-22.el10_0.x86_64.rpm SHA-256: 5c3a91536e7b7dc65581bb85e674841f257dd91e175ea58cd75701f16eedfc7f grafana-debugsource-10.2.6-22.el10_0.x86_64.rpm SHA-256: 59c9852f2b130d0dc7c93cb11b9bf7d51f106f8cee8665dab8881d2687e66535 grafana-selinux-10.2.6-22.el10_0.x86_64.rpm SHA-256: 4386972ef7a98db4817cfd1af3eeb420c4dfffba5b6fd2cf6161eb7cc5ee451b The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .