Torrust Tracker Demo Server Exposed to CVE-2026-34986 via Outdated Grafana Container

A critical security vulnerability is actively present on the public-facing Torrust Tracker demo server. The server, `grafana.torrust-tracker-demo.com`, is running an outdated Grafana container (`grafana/grafana:12.4.2`) that bundles a vulnerable version of the `go-jose/go-jose/v4` library, exposing the system to CVE-2026-34986. This flaw, detailed in advisory GHSA-78h2-9frx-2jm8, represents a direct and unpatched risk to the demo environment's security posture.

The vulnerability stems from a dependency within the Grafana monitoring stack. While the project's deployment tooling has been updated in a pull request to default to the patched `grafana/grafana:13.0.0` image for future installations, this fix does not apply retroactively. The live demo server remains on the vulnerable version, requiring a manual intervention to pull the new container image and restart the service. This creates a gap between the secured deployment pipeline and the actual production-like demo instance.

The situation highlights a common operational security blind spot: the distinction between fixing code for future use and remediating already-deployed assets. The demo server, intended to showcase the Torrust Tracker project, now inadvertently showcases a security lag. Until the container is manually upgraded, the server continues to operate with a known vulnerability, leaving it potentially exploitable despite the availability of a patch since April 11, 2026.