diff --git a/0017-fix-CVE-2025-4123.patch b/0017-fix-CVE-2025-4123.patch
new file mode 100644
index 0000000..1c8ce33
--- /dev/null
+++ b/0017-fix-CVE-2025-4123.patch
@@ -0,0 +1,39 @@
+From 9900159635d616f01fb1be98ef94145637d06d07 Mon Sep 17 00:00:00 2001
+From: Sam Feifer <sfeifer@redhat.com>
+Date: Tue, 13 May 2025 11:33:22 -0400
+Subject: [PATCH] fix CVE-2025-4123
+
+---
+ conf/defaults.ini | 2 +-
+ conf/sample.ini   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/conf/defaults.ini b/conf/defaults.ini
+index 2d6e1235b60..cf1ce8a962f 100644
+--- a/conf/defaults.ini
++++ b/conf/defaults.ini
+@@ -310,7 +310,7 @@ x_xss_protection = true
+ 
+ # Enable adding the Content-Security-Policy header to your requests.
+ # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+-content_security_policy = false
++content_security_policy = true
+ 
+ # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+ # $NONCE in the template includes a random nonce.
+diff --git a/conf/sample.ini b/conf/sample.ini
+index 227c90e895d..19afa036b9b 100644
+--- a/conf/sample.ini
++++ b/conf/sample.ini
+@@ -310,7 +310,7 @@
+ 
+ # Enable adding the Content-Security-Policy header to your requests.
+ # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+-;content_security_policy = false
++;content_security_policy = true
+ 
+ # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+ # $NONCE in the template includes a random nonce.
+-- 
+2.49.0
+
diff --git a/grafana.spec b/grafana.spec
index 88ae423..ab048ed 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -35,7 +35,7 @@ end}
 
 Name:             grafana
 Version:          9.2.10
-Release:          22%{?dist}
+Release:          23%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPLv3
 URL:              https://grafana.org
@@ -97,6 +97,7 @@ Patch13:          0013-snapshot-delete-check-org.patch
 Patch14:          0014-resolve-dompurify-CVE.patch
 Patch15:          0015-update-go-git-version.patch
 Patch16:          0016-fix-macaron-version-error.patch
+Patch17:          0017-fix-CVE-2025-4123.patch
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -775,6 +776,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 14 -p1
 %patch -P 15 -p1
 %patch -P 16 -p1
+%patch -P 17 -p1
 
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@@ -1021,6 +1023,9 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 
 %changelog
+* Tue May 13 2025 Sam Feifer <sfeifer@redhat.com> 9.2.10-23
+- Resolves RHEL-89949: CVE-2025-4123
+
 * Wed Feb 5 2025 Sam Feifer <sfeifer@redhat.com> 9.2.10-22
 - Resolves RHEL-75921: grafana selinux issue with autofs_t