Help build the future of open source observability software Open positions

Check out the open source projects we support Downloads

Grot cannot remember your choice unless you click the consent notice at the bottom.

Precautionary patches for Grafana released following critical go vulnerability CVE-2023-24538

Precautionary patches for Grafana released following critical go vulnerability CVE-2023-24538

26 Apr, 2023 3 min

On April 19, Grafana Labs was made aware of a CVSS 9.8 Critical vulnerability in golang. While we have confirmed the presence of vulnerable versions in our services, we do not believe we have exploitable vulnerabilities at this time. Still, we are releasing patches as a precautionary measure.

While the base CVSS score is 9.8 (Critical), we assess Grafana’s exposure in open source, Grafana Enterprise, and Grafana Cloud as CVSS 0.0. (Informational)

We also encourage users and customers to upgrade any go-based, third-party plugins as new versions become available, as a matter of course.

Release 9.5.1, latest patch, also containing security fix:

Release 9.4.9, also containing security fix:

Release 9.3.13, also containing security fix:

Release 9.2.17, also containing security fix:

Release 8.5.24, also containing security fix:

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.

Summary of CVE-2023-24548

An issue in how go handles backticks (`) with Javascript can lead to an injection of arbitrary code into go templates. While Grafana Labs software contains potentially vulnerable versions of go, we have not identified any exploitable use cases at this time.

The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).


No exploitable impact identified. The base vulnerability permits injection of arbitrary Javascript into go templates.

Impacted versions

All Grafana versions

Solutions and mitigations

There is no mitigation required for any products or OSS projects developed by Grafana Labs; however, you can apply patches to your Grafana instances as a precautionary measure. We also encourage you to update any third-party, go-based plugins as new versions become available.

Reporting security issues

If you think you have found a security vulnerability, please send a report to This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is 225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0

The key is available from

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.