From 5dfd276d25ac5ccd04ce4da293aba910e4ee3ee0 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Thu, 19 Feb 2026 07:19:13 +0000
Subject: [PATCH] import OL grafana-10.2.6-18.el9_7

---
 SOURCES/0014-Fix-CVE-2026-21721.patch | 49 +++++++++++++++++++++++++++
 SPECS/grafana.spec                    | 11 +++++-
 2 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0014-Fix-CVE-2026-21721.patch

diff --git a/SOURCES/0014-Fix-CVE-2026-21721.patch b/SOURCES/0014-Fix-CVE-2026-21721.patch
new file mode 100644
index 0000000..6e47e8b
--- /dev/null
+++ b/SOURCES/0014-Fix-CVE-2026-21721.patch
@@ -0,0 +1,49 @@
+From 3efa5e004426fed8f25ec513f2dce4658e3b6564 Mon Sep 17 00:00:00 2001
+From: Sam Feifer <sfeifer@redhat.com>
+Date: Mon, 16 Feb 2026 15:35:19 -0500
+Subject: [PATCH] Fix CVE-2026-21721
+
+---
+ pkg/api/api.go | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/pkg/api/api.go b/pkg/api/api.go
+index 3db3cbafe73..b8c1dd5736e 100644
+--- a/pkg/api/api.go
++++ b/pkg/api/api.go
+@@ -461,12 +461,13 @@ func (hs *HTTPServer) registerRoutes() {
+ 			dashboardRoute.Get("/uid/:uid", authorize(ac.EvalPermission(dashboards.ActionDashboardsRead)), routing.Wrap(hs.GetDashboard))
+ 			dashboardRoute.Delete("/uid/:uid", authorize(ac.EvalPermission(dashboards.ActionDashboardsDelete)), routing.Wrap(hs.DeleteDashboardByUID))
+ 			dashboardRoute.Group("/uid/:uid", func(dashUidRoute routing.RouteRegister) {
++				dashUIDScope := dashboards.ScopeDashboardsProvider.GetResourceScopeUID(ac.Parameter(":uid"))
+ 				dashUidRoute.Get("/versions", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersions))
+ 				dashUidRoute.Post("/restore", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.RestoreDashboardVersion))
+ 				dashUidRoute.Get("/versions/:id", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersion))
+ 				dashUidRoute.Group("/permissions", func(dashboardPermissionRoute routing.RouteRegister) {
+-					dashboardPermissionRoute.Get("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
+-					dashboardPermissionRoute.Post("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
++					dashboardPermissionRoute.Get("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashUIDScope)), routing.Wrap(hs.GetDashboardPermissionList))
++					dashboardPermissionRoute.Post("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashUIDScope)), routing.Wrap(hs.UpdateDashboardPermissions))
+ 				})
+ 			})
+ 
+@@ -481,13 +482,14 @@ func (hs *HTTPServer) registerRoutes() {
+ 
+ 			// Deprecated: use /uid/:uid API instead.
+ 			dashboardRoute.Group("/id/:dashboardId", func(dashIdRoute routing.RouteRegister) {
++				dashIDScope := dashboards.ScopeDashboardsProvider.GetResourceScope(ac.Parameter(":dashboardId"))
+ 				dashIdRoute.Get("/versions", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersions))
+ 				dashIdRoute.Get("/versions/:id", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersion))
+ 				dashIdRoute.Post("/restore", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.RestoreDashboardVersion))
+ 
+ 				dashIdRoute.Group("/permissions", func(dashboardPermissionRoute routing.RouteRegister) {
+-					dashboardPermissionRoute.Get("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
+-					dashboardPermissionRoute.Post("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
++					dashboardPermissionRoute.Get("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashIDScope)), routing.Wrap(hs.GetDashboardPermissionList))
++					dashboardPermissionRoute.Post("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashIDScope)), routing.Wrap(hs.UpdateDashboardPermissions))
+ 				})
+ 			})
+ 		})
+-- 
+2.52.0
+
diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec
index 7f319b6..43aa1a8 100644
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@@ -26,7 +26,7 @@ end}
 
 Name:             grafana
 Version:          10.2.6
-Release:          17%{?dist}
+Release:          18%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@@ -81,6 +81,7 @@ Patch10:          0010-remove-bcrypt-references.patch
 Patch11:          0011-fix-dompurify-CVE.patch
 Patch12:          0012-fix-jwt-CVE.patch
 Patch13:          0013-fix-CVE-2025-4123.patch
+Patch14:          0014-Fix-CVE-2026-21721.patch
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -776,6 +777,7 @@ rm -r plugins-bundled
 %patch -P 11 -p1
 %patch -P 12 -p1
 %patch -P 13 -p1
+%patch -P 14 -p1
 
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@@ -1021,6 +1023,13 @@ done
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/*/active/modules/200/grafana
 
 %changelog
+* Tue Feb 17 2026 Sam Feifer <sfeifer@redhat.com> 10.2.6-17
+- Resolves RHEL-144959: CVE-2026-21721
+- Resolves RHEL-146863: CVE-2025-61726
+- Resolves RHEL-147081: CVE-2025-61729
+- Resolves RHEL-147370: CVE-2025-61728
+- Resolves RHEL-149621: CVE-2025-68121
+
 * Wed Dec 3 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-17
 - Resolves RHEL-125692: CVE-2025-58183
 - Resolves RHEL-120426: Grafana-selinux prevents plugins from searching cgroups