Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for grafana/grafana by Grafana

    CVE-2026-21722 (GCVE-0-2026-21722)

    Vulnerability from nvd – Published: 2026-02-12 08:49 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Public Dashboards time range restriction on annotations can be bypassed
    Summary
    Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana grafana/grafana Affected: 9.3.0 , < 11.6.10+security-01 (semver)
    Affected: 12.0.0 , < 12.1.6+security-01 (semver)
    Affected: 12.2.0 , < 12.2.4+security-01 (semver)
    Affected: 12.3.0 , < 12.3.2+security-01 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 9.3.0 , < 11.6.10+security-01 (semver)
    Affected: 12.0.0 , < 12.1.6+security-01 (semver)
    Affected: 12.2.0 , < 12.2.4+security-01 (semver)
    Affected: 12.3.0 , < 12.3.2+security-01 (semver)
    Create a notification for this product.
    Date Public
    2026-02-12 07:13
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21722",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T14:24:06.337064Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-27T14:01:13.177Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.10+security-01",
                  "status": "affected",
                  "version": "9.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.1.6+security-01",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.4+security-01",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.2+security-01",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.10+security-01",
                  "status": "affected",
                  "version": "9.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.1.6+security-01",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.4+security-01",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.2+security-01",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-02-12T07:13:06.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:17.864Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-21722"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Public Dashboards time range restriction on annotations can be bypassed",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-21722",
        "datePublished": "2026-02-12T08:49:05.678Z",
        "dateReserved": "2026-01-05T09:26:06.214Z",
        "dateUpdated": "2026-06-22T16:31:17.864Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-41117 (GCVE-0-2025-41117)

    Vulnerability from nvd – Published: 2026-02-12 08:49 – Updated: 2026-06-22 16:31
    VLAI
    Title
    XSS in Grafana Explore stack trace
    Summary
    Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana grafana/grafana Affected: 12.2.0 , < 12.2.4+security-01 (semver)
    Affected: 12.3.0 , < 12.3.2+security-01 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 12.2.0 , < 12.2.4+security-01 (semver)
    Affected: 12.3.0 , < 12.3.2+security-01 (semver)
    Create a notification for this product.
    Date Public
    2026-02-12 07:13
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-41117",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-13T04:56:29.748068Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T21:38:10.871Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.4+security-01",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.2+security-01",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.4+security-01",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.2+security-01",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-02-12T07:13:06.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stack traces in Grafana\u0027s Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.\n\nOnly datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:08.063Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2025-41117"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "XSS in Grafana Explore stack trace",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2025-41117",
        "datePublished": "2026-02-12T08:49:08.545Z",
        "dateReserved": "2025-04-16T09:19:26.443Z",
        "dateUpdated": "2026-06-22T16:31:08.063Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21721 (GCVE-0-2026-21721)

    Vulnerability from nvd – Published: 2026-01-27 09:07 – Updated: 2026-06-30 12:06
    VLAI
    Title
    Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
    Summary
    The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana grafana/grafana Affected: 12.3.0 , < 12.3.1 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 12.2.0 , < 12.2.3 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 12.1.0 , < 12.1.5 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 12.0.0 , < 12.0.8 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 10.2.0 , < 11.6.9 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 10.2.0 , < 11.6.9 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 12.0.0 , < 12.0.8 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 12.1.0 , < 12.1.5 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 12.2.0 , < 12.2.3 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 12.3.0 , < 12.3.1 (semver)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.12     cpe:/a:redhat:acm:2.12::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.13     cpe:/a:redhat:acm:2.13::el9
    Create a notification for this product.
    Red Hat Multicluster Global Hub     cpe:/a:redhat:multicluster_globalhub
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 5     cpe:/a:redhat:ceph_storage:5
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 6     cpe:/a:redhat:ceph_storage:6
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 8     cpe:/a:redhat:ceph_storage:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Date Public
    2026-01-27 09:05
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21721",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-28T04:55:19.556498Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T21:45:54.908Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.12::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.12",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.13::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.13",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:5"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ceph Storage 5",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ceph Storage 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ceph Storage 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-27T09:07:55.160Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "An authorization error has been discovered in Grafana dashboards. The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:49.215Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-21721"
              },
              {
                "name": "RHBZ#2433242",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433242"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21721.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3078"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2914"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3529"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2920"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:5633"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:8229"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:3078: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2914: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3529: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2920: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:5633: Red Hat Advanced Cluster Management for Kubernetes 2.12"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:8229: Red Hat Advanced Cluster Management for Kubernetes 2.13"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-27T10:02:34.317Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-27T09:07:55.160Z",
                "value": "Made public."
              }
            ],
            "title": "grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.3.1",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.3",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.1.5",
                  "status": "affected",
                  "version": "12.1.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.0.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.9",
                  "status": "affected",
                  "version": "10.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.9",
                  "status": "affected",
                  "version": "10.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.0.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.1.5",
                  "status": "affected",
                  "version": "12.1.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.3",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.3.1",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-01-27T09:05:28.422Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/markdown",
                  "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
                }
              ],
              "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:32.434Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-21721"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-21721",
        "datePublished": "2026-01-27T09:07:55.160Z",
        "dateReserved": "2026-01-05T09:26:06.214Z",
        "dateUpdated": "2026-06-30T12:06:49.215Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21720 (GCVE-0-2026-21720)

    Vulnerability from nvd – Published: 2026-01-27 09:07 – Updated: 2026-06-30 12:06
    VLAI
    Title
    Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
    Summary
    Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-703 - Improper Check or Handling of Exceptional Conditions
    • CWE-772 - Missing Release of Resource after Effective Lifetime
    Assigner
    Impacted products
    Vendor Product Version
    Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 11.6.9 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.0.8 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.1.5 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 3.0.0 , < 11.6.9 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 3.0.0 , < 12.0.8 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 3.0.0 , < 12.1.5 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.2.3 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 3.0.0 , < 12.2.3 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.3.1 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 3.0.0 , < 12.3.1 (semver)
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 7     cpe:/a:redhat:ceph_storage:7
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 8     cpe:/a:redhat:ceph_storage:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Date Public
    2026-01-27 09:03
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21720",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-27T14:28:02.795937Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-703",
                    "description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-27T14:29:08.671Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ceph Storage 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ceph Storage 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-27T09:07:04.758Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Grafana. A remote attacker can exploit this vulnerability by sending a sustained volume of uncached /avatar/:hash requests. This action causes the system to create and block goroutines, which are lightweight concurrent functions, leading to a continuous increase in memory usage. Over time, this resource exhaustion can cause Grafana to crash, resulting in a Denial of Service (DoS)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-772",
                    "description": "Missing Release of Resource after Effective Lifetime",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:49.515Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-21720"
              },
              {
                "name": "RHBZ#2433226",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433226"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21720.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-27T10:01:10.677Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-27T09:07:04.758Z",
                "value": "Made public."
              }
            ],
            "title": "grafana: Grafana: Denial of Service via resource exhaustion from avatar requests",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.9",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.0.8",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.1.5",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.9",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.0.8",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.1.5",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.3",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.3",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.3.1",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.3.1",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-01-27T09:03:09.893Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/markdown",
                  "value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
                }
              ],
              "value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:14.758Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-21720"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-21720",
        "datePublished": "2026-01-27T09:07:04.758Z",
        "dateReserved": "2026-01-05T09:26:06.214Z",
        "dateUpdated": "2026-06-30T12:06:49.515Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-41117 (GCVE-0-2025-41117)

    Vulnerability from cvelistv5 – Published: 2026-02-12 08:49 – Updated: 2026-06-22 16:31
    VLAI
    Title
    XSS in Grafana Explore stack trace
    Summary
    Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana grafana/grafana Affected: 12.2.0 , < 12.2.4+security-01 (semver)
    Affected: 12.3.0 , < 12.3.2+security-01 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 12.2.0 , < 12.2.4+security-01 (semver)
    Affected: 12.3.0 , < 12.3.2+security-01 (semver)
    Create a notification for this product.
    Date Public
    2026-02-12 07:13
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-41117",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-13T04:56:29.748068Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T21:38:10.871Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.4+security-01",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.2+security-01",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.4+security-01",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.2+security-01",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-02-12T07:13:06.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stack traces in Grafana\u0027s Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.\n\nOnly datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:08.063Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2025-41117"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "XSS in Grafana Explore stack trace",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2025-41117",
        "datePublished": "2026-02-12T08:49:08.545Z",
        "dateReserved": "2025-04-16T09:19:26.443Z",
        "dateUpdated": "2026-06-22T16:31:08.063Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21722 (GCVE-0-2026-21722)

    Vulnerability from cvelistv5 – Published: 2026-02-12 08:49 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Public Dashboards time range restriction on annotations can be bypassed
    Summary
    Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana grafana/grafana Affected: 9.3.0 , < 11.6.10+security-01 (semver)
    Affected: 12.0.0 , < 12.1.6+security-01 (semver)
    Affected: 12.2.0 , < 12.2.4+security-01 (semver)
    Affected: 12.3.0 , < 12.3.2+security-01 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 9.3.0 , < 11.6.10+security-01 (semver)
    Affected: 12.0.0 , < 12.1.6+security-01 (semver)
    Affected: 12.2.0 , < 12.2.4+security-01 (semver)
    Affected: 12.3.0 , < 12.3.2+security-01 (semver)
    Create a notification for this product.
    Date Public
    2026-02-12 07:13
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21722",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T14:24:06.337064Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-27T14:01:13.177Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.10+security-01",
                  "status": "affected",
                  "version": "9.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.1.6+security-01",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.4+security-01",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.2+security-01",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.10+security-01",
                  "status": "affected",
                  "version": "9.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.1.6+security-01",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.4+security-01",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.2+security-01",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-02-12T07:13:06.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:17.864Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-21722"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Public Dashboards time range restriction on annotations can be bypassed",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-21722",
        "datePublished": "2026-02-12T08:49:05.678Z",
        "dateReserved": "2026-01-05T09:26:06.214Z",
        "dateUpdated": "2026-06-22T16:31:17.864Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21721 (GCVE-0-2026-21721)

    Vulnerability from cvelistv5 – Published: 2026-01-27 09:07 – Updated: 2026-06-30 12:06
    VLAI
    Title
    Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
    Summary
    The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana grafana/grafana Affected: 12.3.0 , < 12.3.1 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 12.2.0 , < 12.2.3 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 12.1.0 , < 12.1.5 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 12.0.0 , < 12.0.8 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 10.2.0 , < 11.6.9 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 10.2.0 , < 11.6.9 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 12.0.0 , < 12.0.8 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 12.1.0 , < 12.1.5 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 12.2.0 , < 12.2.3 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 12.3.0 , < 12.3.1 (semver)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.12     cpe:/a:redhat:acm:2.12::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.13     cpe:/a:redhat:acm:2.13::el9
    Create a notification for this product.
    Red Hat Multicluster Global Hub     cpe:/a:redhat:multicluster_globalhub
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 5     cpe:/a:redhat:ceph_storage:5
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 6     cpe:/a:redhat:ceph_storage:6
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 8     cpe:/a:redhat:ceph_storage:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Date Public
    2026-01-27 09:05
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21721",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-28T04:55:19.556498Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T21:45:54.908Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.12::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.12",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.13::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.13",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:5"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ceph Storage 5",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ceph Storage 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ceph Storage 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-27T09:07:55.160Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "An authorization error has been discovered in Grafana dashboards. The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:49.215Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-21721"
              },
              {
                "name": "RHBZ#2433242",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433242"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21721.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3078"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2914"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3529"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2920"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:5633"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:8229"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:3078: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2914: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3529: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2920: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:5633: Red Hat Advanced Cluster Management for Kubernetes 2.12"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:8229: Red Hat Advanced Cluster Management for Kubernetes 2.13"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-27T10:02:34.317Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-27T09:07:55.160Z",
                "value": "Made public."
              }
            ],
            "title": "grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.3.1",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.3",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.1.5",
                  "status": "affected",
                  "version": "12.1.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.0.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.9",
                  "status": "affected",
                  "version": "10.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.9",
                  "status": "affected",
                  "version": "10.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.0.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.1.5",
                  "status": "affected",
                  "version": "12.1.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.3",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.3.1",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-01-27T09:05:28.422Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/markdown",
                  "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
                }
              ],
              "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:32.434Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-21721"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-21721",
        "datePublished": "2026-01-27T09:07:55.160Z",
        "dateReserved": "2026-01-05T09:26:06.214Z",
        "dateUpdated": "2026-06-30T12:06:49.215Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21720 (GCVE-0-2026-21720)

    Vulnerability from cvelistv5 – Published: 2026-01-27 09:07 – Updated: 2026-06-30 12:06
    VLAI
    Title
    Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
    Summary
    Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-703 - Improper Check or Handling of Exceptional Conditions
    • CWE-772 - Missing Release of Resource after Effective Lifetime
    Assigner
    Impacted products
    Vendor Product Version
    Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 11.6.9 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.0.8 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.1.5 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 3.0.0 , < 11.6.9 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 3.0.0 , < 12.0.8 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 3.0.0 , < 12.1.5 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.2.3 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 3.0.0 , < 12.2.3 (semver)
    Create a notification for this product.
    Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.3.1 (semver)
    Create a notification for this product.
    Grafana grafana/grafana Affected: 3.0.0 , < 12.3.1 (semver)
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 7     cpe:/a:redhat:ceph_storage:7
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 8     cpe:/a:redhat:ceph_storage:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Date Public
    2026-01-27 09:03
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21720",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-27T14:28:02.795937Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-703",
                    "description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-27T14:29:08.671Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ceph Storage 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ceph Storage 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-27T09:07:04.758Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Grafana. A remote attacker can exploit this vulnerability by sending a sustained volume of uncached /avatar/:hash requests. This action causes the system to create and block goroutines, which are lightweight concurrent functions, leading to a continuous increase in memory usage. Over time, this resource exhaustion can cause Grafana to crash, resulting in a Denial of Service (DoS)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-772",
                    "description": "Missing Release of Resource after Effective Lifetime",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:49.515Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-21720"
              },
              {
                "name": "RHBZ#2433226",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433226"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21720.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-27T10:01:10.677Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-27T09:07:04.758Z",
                "value": "Made public."
              }
            ],
            "title": "grafana: Grafana: Denial of Service via resource exhaustion from avatar requests",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.9",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.0.8",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.1.5",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "11.6.9",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.0.8",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.1.5",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.3",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.2.3",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana-enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.3.1",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.3.1",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-01-27T09:03:09.893Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/markdown",
                  "value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
                }
              ],
              "value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:14.758Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-21720"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-21720",
        "datePublished": "2026-01-27T09:07:04.758Z",
        "dateReserved": "2026-01-05T09:26:06.214Z",
        "dateUpdated": "2026-06-30T12:06:49.515Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }