Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Grafana Correlations by Grafana

    CVE-2026-21727 (GCVE-0-2026-21727)

    Vulnerability from nvd – Published: 2026-04-15 18:57 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
    Summary
    --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana Correlations Affected: 10.2.0 , < 12.4.0 (semver)
    Create a notification for this product.
    Date Public
    2026-04-15 18:52
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21727",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T19:56:51.668906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-732",
                    "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-20T18:59:38.753Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana Correlations",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.4.0",
                  "status": "affected",
                  "version": "10.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-04-15T18:52:20.510Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "---\ntitle: Cross-Tenant Legacy Correlation Disclosure and Deletion\ndraft: false\nhero:\n  image: /static/img/heros/hero-legal2.svg\n  content: \"# Cross-Tenant Legacy Correlation Disclosure and Deletion\"\ndate: 2026-01-29\nproduct: Grafana\nseverity: Low\ncve: CVE-2026-21727\ncvss_score: \"3.3\"\ncvss_vector: \"CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\"\nfixed_versions:\n  - \"\u003e=11.6.11 \u003e=12.0.9 \u003e=12.1.6 \u003e=12.2.4\"\n---\nA cross-tenant isolation vulnerability was found in Grafana\u2019s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in \u003e=11.6.11, \u003e=12.0.9, \u003e=12.1.6, and \u003e=12.2.4.\n\nThanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:24.793Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-21727"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-21727",
        "datePublished": "2026-04-15T18:57:25.185Z",
        "dateReserved": "2026-01-05T09:26:06.215Z",
        "dateUpdated": "2026-06-22T16:31:24.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21727 (GCVE-0-2026-21727)

    Vulnerability from cvelistv5 – Published: 2026-04-15 18:57 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
    Summary
    --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana Correlations Affected: 10.2.0 , < 12.4.0 (semver)
    Create a notification for this product.
    Date Public
    2026-04-15 18:52
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21727",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T19:56:51.668906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-732",
                    "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-20T18:59:38.753Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana Correlations",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.4.0",
                  "status": "affected",
                  "version": "10.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-04-15T18:52:20.510Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "---\ntitle: Cross-Tenant Legacy Correlation Disclosure and Deletion\ndraft: false\nhero:\n  image: /static/img/heros/hero-legal2.svg\n  content: \"# Cross-Tenant Legacy Correlation Disclosure and Deletion\"\ndate: 2026-01-29\nproduct: Grafana\nseverity: Low\ncve: CVE-2026-21727\ncvss_score: \"3.3\"\ncvss_vector: \"CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\"\nfixed_versions:\n  - \"\u003e=11.6.11 \u003e=12.0.9 \u003e=12.1.6 \u003e=12.2.4\"\n---\nA cross-tenant isolation vulnerability was found in Grafana\u2019s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in \u003e=11.6.11, \u003e=12.0.9, \u003e=12.1.6, and \u003e=12.2.4.\n\nThanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:24.793Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-21727"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-21727",
        "datePublished": "2026-04-15T18:57:25.185Z",
        "dateReserved": "2026-01-05T09:26:06.215Z",
        "dateUpdated": "2026-06-22T16:31:24.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }