Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
197 vulnerabilities found for grafana by grafana
CVE-2026-21727 (GCVE-0-2026-21727)
Vulnerability from nvd – Published: 2026-04-15 18:57 – Updated: 2026-04-24 08:00
VLAI?
Title
Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
Summary
---
title: Cross-Tenant Legacy Correlation Disclosure and Deletion
draft: false
hero:
image: /static/img/heros/hero-legal2.svg
content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion"
date: 2026-01-29
product: Grafana
severity: Low
cve: CVE-2026-21727
cvss_score: "3.3"
cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
fixed_versions:
- ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4"
---
A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4.
Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
Severity ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana Correlations |
Affected:
10.2.0 , < 12.4.0
(semver)
|
Date Public ?
2026-04-15 18:52
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T19:56:51.668906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T18:59:38.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana Correlations",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.4.0",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-04-15T18:52:20.510Z",
"descriptions": [
{
"lang": "en",
"value": "---\ntitle: Cross-Tenant Legacy Correlation Disclosure and Deletion\ndraft: false\nhero:\n image: /static/img/heros/hero-legal2.svg\n content: \"# Cross-Tenant Legacy Correlation Disclosure and Deletion\"\ndate: 2026-01-29\nproduct: Grafana\nseverity: Low\ncve: CVE-2026-21727\ncvss_score: \"3.3\"\ncvss_vector: \"CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\"\nfixed_versions:\n - \"\u003e=11.6.11 \u003e=12.0.9 \u003e=12.1.6 \u003e=12.2.4\"\n---\nA cross-tenant isolation vulnerability was found in Grafana\u2019s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in \u003e=11.6.11, \u003e=12.0.9, \u003e=12.1.6, and \u003e=12.2.4.\n\nThanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:49.460Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21727"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21727",
"datePublished": "2026-04-15T18:57:25.185Z",
"dateReserved": "2026-01-05T09:26:06.215Z",
"dateUpdated": "2026-04-24T08:00:49.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12141 (GCVE-0-2025-12141)
Vulnerability from nvd – Published: 2026-04-15 14:59 – Updated: 2026-04-15 18:45
VLAI?
Title
Grafana Alerting Editors can edit destination of webhooks they did not create
Summary
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.
Severity ?
CWE
- CWE-200 - Information Disclosure
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana Alerting |
Affected:
8.0.0 , ≤ 12.3.0
(semver)
|
Date Public ?
2025-12-16 20:56
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T18:45:45.527327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T18:45:53.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana Alerting",
"repo": "https://github.com/grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "12.3.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-12-16T20:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eIn Grafana\u0027s alerting system, users with edit permissions for a contact point, specifically the permissions \u201calert.notifications:write\u201d or \u201calert.notifications.receivers:test\u201d that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.\u003c/span\u003e"
}
],
"value": "In Grafana\u0027s alerting system, users with edit permissions for a contact point, specifically the permissions \u201calert.notifications:write\u201d or \u201calert.notifications.receivers:test\u201d that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/S:N/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:59:41.317Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2025-12141/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Grafana Alerting Editors can edit destination of webhooks they did not create",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-12141",
"datePublished": "2026-04-15T14:59:41.317Z",
"dateReserved": "2025-10-24T07:07:00.941Z",
"dateUpdated": "2026-04-15T18:45:53.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28375 (GCVE-0-2026-28375)
Vulnerability from nvd – Published: 2026-03-27 14:26 – Updated: 2026-04-24 08:00
VLAI?
Title
Grafana Testdata datasource can issue unbounded memory allocations
Summary
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2026-03-27 14:23
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T15:00:57.773116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:01:14.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:23:47.094Z",
"descriptions": [
{
"lang": "en",
"value": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:45.094Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28375"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "Grafana Testdata datasource can issue unbounded memory allocations",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-28375",
"datePublished": "2026-03-27T14:26:19.270Z",
"dateReserved": "2026-02-27T07:16:12.218Z",
"dateUpdated": "2026-04-24T08:00:45.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27880 (GCVE-0-2026-27880)
Vulnerability from nvd – Published: 2026-03-27 14:12 – Updated: 2026-04-24 08:00
VLAI?
Title
OpenFeature evaluation API reads input data with no bounds
Summary
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2026-03-27 14:08
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:43:21.670196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:43:46.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"broken-link"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27880"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Cloud",
"OnPrem"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "v12.1.10",
"status": "affected",
"version": "v12.1.0",
"versionType": "semver"
},
{
"lessThan": "v12.2.8",
"status": "affected",
"version": "v12.2.0",
"versionType": "semver"
},
{
"lessThan": "v12.3.6",
"status": "affected",
"version": "v12.3.0",
"versionType": "semver"
},
{
"lessThan": "v12.4.2",
"status": "affected",
"version": "v12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:08:45.874Z",
"descriptions": [
{
"lang": "en",
"value": "The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:50.308Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27880"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "OpenFeature evaluation API reads input data with no bounds",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27880",
"datePublished": "2026-03-27T14:12:20.075Z",
"dateReserved": "2026-02-24T14:30:17.727Z",
"dateUpdated": "2026-04-24T08:00:50.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27879 (GCVE-0-2026-27879)
Vulnerability from nvd – Published: 2026-03-27 14:28 – Updated: 2026-04-24 08:00
VLAI?
Title
Query resampling can cause unbounded memory allocations
Summary
A resample query can be used to trigger out-of-memory crashes in Grafana.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2026-03-27 14:26
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T15:02:56.347770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:02:59.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Cloud",
"OnPrem"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:26:32.584Z",
"descriptions": [
{
"lang": "en",
"value": "A resample query can be used to trigger out-of-memory crashes in Grafana."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:49.101Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27879"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "Query resampling can cause unbounded memory allocations",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27879",
"datePublished": "2026-03-27T14:28:56.133Z",
"dateReserved": "2026-02-24T14:30:17.727Z",
"dateUpdated": "2026-04-24T08:00:49.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27877 (GCVE-0-2026-27877)
Vulnerability from nvd – Published: 2026-03-27 14:02 – Updated: 2026-04-24 08:00
VLAI?
Title
Public dashboards discloses all direct mode datasources
Summary
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Severity ?
6.5 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2026-03-27 13:59
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27877",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:56:26.128138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:56:34.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"broken-link"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem",
"Cloud"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T13:59:46.831Z",
"descriptions": [
{
"lang": "en",
"value": "When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:49.946Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Public dashboards discloses all direct mode datasources",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27877",
"datePublished": "2026-03-27T14:02:11.889Z",
"dateReserved": "2026-02-24T14:30:17.726Z",
"dateUpdated": "2026-04-24T08:00:49.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27876 (GCVE-0-2026-27876)
Vulnerability from nvd – Published: 2026-03-27 14:24 – Updated: 2026-04-24 08:00
VLAI?
Title
RCE on Grafana via sqlExpressions
Summary
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.
Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Only instances in the following version ranges are affected:
- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.
- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.
- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.
- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.
- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.
Severity ?
9.1 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2026-03-27 14:21
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-28T03:55:48.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem",
"Cloud"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:21:53.858Z",
"descriptions": [
{
"lang": "en",
"value": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable.\n\nOnly instances in the following version ranges are affected:\n\n- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.\n- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.\n- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.\n- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.\n- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:45.815Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27876"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "RCE on Grafana via sqlExpressions",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27876",
"datePublished": "2026-03-27T14:24:36.771Z",
"dateReserved": "2026-02-24T14:30:17.726Z",
"dateUpdated": "2026-04-24T08:00:45.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33375 (GCVE-0-2026-33375)
Vulnerability from nvd – Published: 2026-03-26 20:05 – Updated: 2026-04-24 08:00
VLAI?
Title
Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS
Summary
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
11.6.0 , < 11.6.14+security-01
(semver)
Affected: 12.1.0 , < 12.1.10+security-01 (semver) Affected: 12.2.0 , < 12.2.8+security-01 (semver) Affected: 12.3.0 , < 12.3.6+security-01 (semver) Affected: 12.4.0 , < 12.4.2 (semver) |
Date Public ?
2026-03-26 12:52
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:39:23.654250Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:40:37.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14+security-01",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10+security-01",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-26T12:52:32.117Z",
"descriptions": [
{
"lang": "en",
"value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:50.665Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-33375"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-33375",
"datePublished": "2026-03-26T20:05:52.564Z",
"dateReserved": "2026-03-19T07:55:06.977Z",
"dateUpdated": "2026-04-24T08:00:50.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21724 (GCVE-0-2026-21724)
Vulnerability from nvd – Published: 2026-03-26 20:06 – Updated: 2026-04-24 08:00
VLAI?
Title
Missing Protected-field Authorization in Provisioning Contact Points API
Summary
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Severity ?
5.4 (Medium)
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
12.3.1 , < 12.3.6
(semver)
Affected: 12.2.2 , < 12.2.8 (semver) Affected: 12.1.5 , < 12.1.10 (semver) Affected: 11.6.9 , < 11.6.14 (semver) |
Date Public ?
2026-03-25 22:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T13:42:43.732342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T13:56:12.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.1",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.2",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.1.5",
"versionType": "semver"
},
{
"lessThan": "11.6.14",
"status": "affected",
"version": "11.6.9",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-25T22:00:37.352Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:46.706Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21724"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Missing Protected-field Authorization in Provisioning Contact Points API",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21724",
"datePublished": "2026-03-26T20:06:18.829Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-24T08:00:46.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21725 (GCVE-0-2026-21725)
Vulnerability from nvd – Published: 2026-02-25 12:35 – Updated: 2026-04-24 08:00
VLAI?
Title
Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name
Summary
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.
This requires several very stringent conditions to be met:
- The attacker must have admin access to the specific datasource prior to its first deletion.
- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.
- The attacker must delete the datasource, then someone must recreate it.
- The new datasource must not have the attacker as an admin.
- The new datasource must have the same UID as the prior datasource. These are randomised by default.
- The datasource can now be re-deleted by the attacker.
- Once 30 seconds are up, the attack is spent and cannot be repeated.
- No datasource with any other UID can be attacked.
Severity ?
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2026-02-25 08:21
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T15:13:32.666615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:13:57.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "v12.4.1",
"status": "affected",
"version": "v11.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-25T08:21:23.844Z",
"descriptions": [
{
"lang": "en",
"value": "A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.\n\nThis requires several very stringent conditions to be met:\n\n- The attacker must have admin access to the specific datasource prior to its first deletion.\n- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.\n- The attacker must delete the datasource, then someone must recreate it.\n- The new datasource must not have the attacker as an admin.\n- The new datasource must have the same UID as the prior datasource. These are randomised by default.\n- The datasource can now be re-deleted by the attacker.\n- Once 30 seconds are up, the attack is spent and cannot be repeated.\n- No datasource with any other UID can be attacked."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:44.700Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21725"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21725",
"datePublished": "2026-02-25T12:35:43.104Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-24T08:00:44.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21722 (GCVE-0-2026-21722)
Vulnerability from nvd – Published: 2026-02-12 08:49 – Updated: 2026-04-24 08:00
VLAI?
Title
Public Dashboards time range restriction on annotations can be bypassed
Summary
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.
This did not leak any annotations that would not otherwise be visible on the public dashboard.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana |
Affected:
9.3.0 , < 11.6.10+security-01
(semver)
Affected: 12.0.0 , < 12.1.6+security-01 (semver) Affected: 12.2.0 , < 12.2.4+security-01 (semver) Affected: 12.3.0 , < 12.3.2+security-01 (semver) |
|||||||
|
|||||||||
Date Public ?
2026-02-12 07:13
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T14:24:06.337064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T14:01:13.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.10+security-01",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.6+security-01",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.10+security-01",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.6+security-01",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-12T07:13:06.000Z",
"descriptions": [
{
"lang": "en",
"value": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:47.717Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21722"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Public Dashboards time range restriction on annotations can be bypassed",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21722",
"datePublished": "2026-02-12T08:49:05.678Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-24T08:00:47.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41117 (GCVE-0-2025-41117)
Vulnerability from nvd – Published: 2026-02-12 08:49 – Updated: 2026-04-24 08:00
VLAI?
Title
XSS in Grafana Explore stack trace
Summary
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.
Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
Severity ?
6.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana |
Affected:
12.2.0 , < 12.2.4+security-01
(semver)
Affected: 12.3.0 , < 12.3.2+security-01 (semver) |
|||||||
|
|||||||||
Date Public ?
2026-02-12 07:13
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41117",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T04:56:29.748068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T21:38:10.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-12T07:13:06.000Z",
"descriptions": [
{
"lang": "en",
"value": "Stack traces in Grafana\u0027s Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.\n\nOnly datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:51.710Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-41117"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "XSS in Grafana Explore stack trace",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-41117",
"datePublished": "2026-02-12T08:49:08.545Z",
"dateReserved": "2025-04-16T09:19:26.443Z",
"dateUpdated": "2026-04-24T08:00:51.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21721 (GCVE-0-2026-21721)
Vulnerability from nvd – Published: 2026-01-27 09:07 – Updated: 2026-04-24 08:00
VLAI?
Title
Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
Summary
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
Severity ?
8.1 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana |
Affected:
12.3.0 , < 12.3.1
(semver)
|
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Date Public ?
2026-01-27 09:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T04:55:19.556498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T21:45:54.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-01-27T09:05:28.422Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/markdown",
"value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
}
],
"value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:51.154Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21721"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21721",
"datePublished": "2026-01-27T09:07:55.160Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-24T08:00:51.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21720 (GCVE-0-2026-21720)
Vulnerability from nvd – Published: 2026-01-27 09:07 – Updated: 2026-04-24 08:00
VLAI?
Title
Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
Summary
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana-enterprise |
Affected:
3.0.0 , < 11.6.9
(semver)
|
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Date Public ?
2026-01-27 09:03
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21720",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T14:28:02.795937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T14:29:08.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-01-27T09:03:09.893Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/markdown",
"value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
}
],
"value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:48.727Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21720"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21720",
"datePublished": "2026-01-27T09:07:04.758Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-24T08:00:48.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41115 (GCVE-0-2025-41115)
Vulnerability from nvd – Published: 2025-11-21 14:25 – Updated: 2026-04-24 08:00
VLAI?
Title
Incorrect privilege assignment
Summary
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.
This vulnerability applies only if all of the following conditions are met:
- `enableSCIM` feature flag set to true
- `user_sync_enabled` config option in the `[auth.scim]` block set to true
Severity ?
10 (Critical)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana Enterprise |
Affected:
12.0.0 , < 12.2.1
(semver)
|
Date Public ?
2025-11-21 08:12
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-22T04:55:19.297964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:07:39.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.1",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-21T08:12:17.767Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/markdown",
"value": "SCIM provisioning was\u00a0introduced\u00a0in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.\n\nIn Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.\n\nThis vulnerability applies only if\u00a0all\u00a0of the following conditions are met:\n- `enableSCIM`\u00a0feature flag set to true\n- `user_sync_enabled`\u00a0config option in the\u00a0`[auth.scim]`\u00a0block set to true"
}
],
"value": "SCIM provisioning was\u00a0introduced\u00a0in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.\n\nIn Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.\n\nThis vulnerability applies only if\u00a0all\u00a0of the following conditions are met:\n- `enableSCIM`\u00a0feature flag set to true\n- `user_sync_enabled`\u00a0config option in the\u00a0`[auth.scim]`\u00a0block set to true"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:52.496Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-41115"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "Incorrect privilege assignment",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-41115",
"datePublished": "2025-11-21T14:25:38.945Z",
"dateReserved": "2025-04-16T09:19:26.442Z",
"dateUpdated": "2026-04-24T08:00:52.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21727 (GCVE-0-2026-21727)
Vulnerability from cvelistv5 – Published: 2026-04-15 18:57 – Updated: 2026-04-24 08:00
VLAI?
Title
Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
Summary
---
title: Cross-Tenant Legacy Correlation Disclosure and Deletion
draft: false
hero:
image: /static/img/heros/hero-legal2.svg
content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion"
date: 2026-01-29
product: Grafana
severity: Low
cve: CVE-2026-21727
cvss_score: "3.3"
cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
fixed_versions:
- ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4"
---
A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4.
Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
Severity ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana Correlations |
Affected:
10.2.0 , < 12.4.0
(semver)
|
Date Public ?
2026-04-15 18:52
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T19:56:51.668906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T18:59:38.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana Correlations",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.4.0",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-04-15T18:52:20.510Z",
"descriptions": [
{
"lang": "en",
"value": "---\ntitle: Cross-Tenant Legacy Correlation Disclosure and Deletion\ndraft: false\nhero:\n image: /static/img/heros/hero-legal2.svg\n content: \"# Cross-Tenant Legacy Correlation Disclosure and Deletion\"\ndate: 2026-01-29\nproduct: Grafana\nseverity: Low\ncve: CVE-2026-21727\ncvss_score: \"3.3\"\ncvss_vector: \"CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\"\nfixed_versions:\n - \"\u003e=11.6.11 \u003e=12.0.9 \u003e=12.1.6 \u003e=12.2.4\"\n---\nA cross-tenant isolation vulnerability was found in Grafana\u2019s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in \u003e=11.6.11, \u003e=12.0.9, \u003e=12.1.6, and \u003e=12.2.4.\n\nThanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:49.460Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21727"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21727",
"datePublished": "2026-04-15T18:57:25.185Z",
"dateReserved": "2026-01-05T09:26:06.215Z",
"dateUpdated": "2026-04-24T08:00:49.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12141 (GCVE-0-2025-12141)
Vulnerability from cvelistv5 – Published: 2026-04-15 14:59 – Updated: 2026-04-15 18:45
VLAI?
Title
Grafana Alerting Editors can edit destination of webhooks they did not create
Summary
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.
Severity ?
CWE
- CWE-200 - Information Disclosure
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana Alerting |
Affected:
8.0.0 , ≤ 12.3.0
(semver)
|
Date Public ?
2025-12-16 20:56
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T18:45:45.527327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T18:45:53.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana Alerting",
"repo": "https://github.com/grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "12.3.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-12-16T20:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eIn Grafana\u0027s alerting system, users with edit permissions for a contact point, specifically the permissions \u201calert.notifications:write\u201d or \u201calert.notifications.receivers:test\u201d that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.\u003c/span\u003e"
}
],
"value": "In Grafana\u0027s alerting system, users with edit permissions for a contact point, specifically the permissions \u201calert.notifications:write\u201d or \u201calert.notifications.receivers:test\u201d that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/S:N/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:59:41.317Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2025-12141/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Grafana Alerting Editors can edit destination of webhooks they did not create",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-12141",
"datePublished": "2026-04-15T14:59:41.317Z",
"dateReserved": "2025-10-24T07:07:00.941Z",
"dateUpdated": "2026-04-15T18:45:53.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27879 (GCVE-0-2026-27879)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:28 – Updated: 2026-04-24 08:00
VLAI?
Title
Query resampling can cause unbounded memory allocations
Summary
A resample query can be used to trigger out-of-memory crashes in Grafana.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2026-03-27 14:26
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T15:02:56.347770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:02:59.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Cloud",
"OnPrem"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:26:32.584Z",
"descriptions": [
{
"lang": "en",
"value": "A resample query can be used to trigger out-of-memory crashes in Grafana."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:49.101Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27879"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "Query resampling can cause unbounded memory allocations",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27879",
"datePublished": "2026-03-27T14:28:56.133Z",
"dateReserved": "2026-02-24T14:30:17.727Z",
"dateUpdated": "2026-04-24T08:00:49.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28375 (GCVE-0-2026-28375)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:26 – Updated: 2026-04-24 08:00
VLAI?
Title
Grafana Testdata datasource can issue unbounded memory allocations
Summary
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2026-03-27 14:23
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T15:00:57.773116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:01:14.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:23:47.094Z",
"descriptions": [
{
"lang": "en",
"value": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:45.094Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28375"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "Grafana Testdata datasource can issue unbounded memory allocations",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-28375",
"datePublished": "2026-03-27T14:26:19.270Z",
"dateReserved": "2026-02-27T07:16:12.218Z",
"dateUpdated": "2026-04-24T08:00:45.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27876 (GCVE-0-2026-27876)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:24 – Updated: 2026-04-24 08:00
VLAI?
Title
RCE on Grafana via sqlExpressions
Summary
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.
Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Only instances in the following version ranges are affected:
- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.
- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.
- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.
- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.
- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.
Severity ?
9.1 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2026-03-27 14:21
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-28T03:55:48.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem",
"Cloud"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:21:53.858Z",
"descriptions": [
{
"lang": "en",
"value": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable.\n\nOnly instances in the following version ranges are affected:\n\n- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.\n- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.\n- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.\n- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.\n- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:45.815Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27876"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "RCE on Grafana via sqlExpressions",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27876",
"datePublished": "2026-03-27T14:24:36.771Z",
"dateReserved": "2026-02-24T14:30:17.726Z",
"dateUpdated": "2026-04-24T08:00:45.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27880 (GCVE-0-2026-27880)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:12 – Updated: 2026-04-24 08:00
VLAI?
Title
OpenFeature evaluation API reads input data with no bounds
Summary
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2026-03-27 14:08
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:43:21.670196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:43:46.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"broken-link"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27880"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Cloud",
"OnPrem"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "v12.1.10",
"status": "affected",
"version": "v12.1.0",
"versionType": "semver"
},
{
"lessThan": "v12.2.8",
"status": "affected",
"version": "v12.2.0",
"versionType": "semver"
},
{
"lessThan": "v12.3.6",
"status": "affected",
"version": "v12.3.0",
"versionType": "semver"
},
{
"lessThan": "v12.4.2",
"status": "affected",
"version": "v12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:08:45.874Z",
"descriptions": [
{
"lang": "en",
"value": "The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:50.308Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27880"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "OpenFeature evaluation API reads input data with no bounds",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27880",
"datePublished": "2026-03-27T14:12:20.075Z",
"dateReserved": "2026-02-24T14:30:17.727Z",
"dateUpdated": "2026-04-24T08:00:50.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27877 (GCVE-0-2026-27877)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:02 – Updated: 2026-04-24 08:00
VLAI?
Title
Public dashboards discloses all direct mode datasources
Summary
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Severity ?
6.5 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2026-03-27 13:59
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27877",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:56:26.128138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:56:34.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"broken-link"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem",
"Cloud"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T13:59:46.831Z",
"descriptions": [
{
"lang": "en",
"value": "When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:49.946Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Public dashboards discloses all direct mode datasources",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27877",
"datePublished": "2026-03-27T14:02:11.889Z",
"dateReserved": "2026-02-24T14:30:17.726Z",
"dateUpdated": "2026-04-24T08:00:49.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21724 (GCVE-0-2026-21724)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:06 – Updated: 2026-04-24 08:00
VLAI?
Title
Missing Protected-field Authorization in Provisioning Contact Points API
Summary
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Severity ?
5.4 (Medium)
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
12.3.1 , < 12.3.6
(semver)
Affected: 12.2.2 , < 12.2.8 (semver) Affected: 12.1.5 , < 12.1.10 (semver) Affected: 11.6.9 , < 11.6.14 (semver) |
Date Public ?
2026-03-25 22:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T13:42:43.732342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T13:56:12.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.1",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.2",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.1.5",
"versionType": "semver"
},
{
"lessThan": "11.6.14",
"status": "affected",
"version": "11.6.9",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-25T22:00:37.352Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:46.706Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21724"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Missing Protected-field Authorization in Provisioning Contact Points API",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21724",
"datePublished": "2026-03-26T20:06:18.829Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-24T08:00:46.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33375 (GCVE-0-2026-33375)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:05 – Updated: 2026-04-24 08:00
VLAI?
Title
Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS
Summary
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
11.6.0 , < 11.6.14+security-01
(semver)
Affected: 12.1.0 , < 12.1.10+security-01 (semver) Affected: 12.2.0 , < 12.2.8+security-01 (semver) Affected: 12.3.0 , < 12.3.6+security-01 (semver) Affected: 12.4.0 , < 12.4.2 (semver) |
Date Public ?
2026-03-26 12:52
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:39:23.654250Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:40:37.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14+security-01",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10+security-01",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-26T12:52:32.117Z",
"descriptions": [
{
"lang": "en",
"value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:50.665Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-33375"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-33375",
"datePublished": "2026-03-26T20:05:52.564Z",
"dateReserved": "2026-03-19T07:55:06.977Z",
"dateUpdated": "2026-04-24T08:00:50.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21725 (GCVE-0-2026-21725)
Vulnerability from cvelistv5 – Published: 2026-02-25 12:35 – Updated: 2026-04-24 08:00
VLAI?
Title
Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name
Summary
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.
This requires several very stringent conditions to be met:
- The attacker must have admin access to the specific datasource prior to its first deletion.
- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.
- The attacker must delete the datasource, then someone must recreate it.
- The new datasource must not have the attacker as an admin.
- The new datasource must have the same UID as the prior datasource. These are randomised by default.
- The datasource can now be re-deleted by the attacker.
- Once 30 seconds are up, the attack is spent and cannot be repeated.
- No datasource with any other UID can be attacked.
Severity ?
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2026-02-25 08:21
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T15:13:32.666615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:13:57.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "v12.4.1",
"status": "affected",
"version": "v11.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-25T08:21:23.844Z",
"descriptions": [
{
"lang": "en",
"value": "A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.\n\nThis requires several very stringent conditions to be met:\n\n- The attacker must have admin access to the specific datasource prior to its first deletion.\n- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.\n- The attacker must delete the datasource, then someone must recreate it.\n- The new datasource must not have the attacker as an admin.\n- The new datasource must have the same UID as the prior datasource. These are randomised by default.\n- The datasource can now be re-deleted by the attacker.\n- Once 30 seconds are up, the attack is spent and cannot be repeated.\n- No datasource with any other UID can be attacked."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:44.700Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21725"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21725",
"datePublished": "2026-02-25T12:35:43.104Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-24T08:00:44.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41117 (GCVE-0-2025-41117)
Vulnerability from cvelistv5 – Published: 2026-02-12 08:49 – Updated: 2026-04-24 08:00
VLAI?
Title
XSS in Grafana Explore stack trace
Summary
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.
Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
Severity ?
6.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana |
Affected:
12.2.0 , < 12.2.4+security-01
(semver)
Affected: 12.3.0 , < 12.3.2+security-01 (semver) |
|||||||
|
|||||||||
Date Public ?
2026-02-12 07:13
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41117",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T04:56:29.748068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T21:38:10.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-12T07:13:06.000Z",
"descriptions": [
{
"lang": "en",
"value": "Stack traces in Grafana\u0027s Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.\n\nOnly datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:51.710Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-41117"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "XSS in Grafana Explore stack trace",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-41117",
"datePublished": "2026-02-12T08:49:08.545Z",
"dateReserved": "2025-04-16T09:19:26.443Z",
"dateUpdated": "2026-04-24T08:00:51.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21722 (GCVE-0-2026-21722)
Vulnerability from cvelistv5 – Published: 2026-02-12 08:49 – Updated: 2026-04-24 08:00
VLAI?
Title
Public Dashboards time range restriction on annotations can be bypassed
Summary
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.
This did not leak any annotations that would not otherwise be visible on the public dashboard.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana |
Affected:
9.3.0 , < 11.6.10+security-01
(semver)
Affected: 12.0.0 , < 12.1.6+security-01 (semver) Affected: 12.2.0 , < 12.2.4+security-01 (semver) Affected: 12.3.0 , < 12.3.2+security-01 (semver) |
|||||||
|
|||||||||
Date Public ?
2026-02-12 07:13
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T14:24:06.337064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T14:01:13.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.10+security-01",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.6+security-01",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.10+security-01",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.6+security-01",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-12T07:13:06.000Z",
"descriptions": [
{
"lang": "en",
"value": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:47.717Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21722"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Public Dashboards time range restriction on annotations can be bypassed",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21722",
"datePublished": "2026-02-12T08:49:05.678Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-24T08:00:47.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21721 (GCVE-0-2026-21721)
Vulnerability from cvelistv5 – Published: 2026-01-27 09:07 – Updated: 2026-04-24 08:00
VLAI?
Title
Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
Summary
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
Severity ?
8.1 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana |
Affected:
12.3.0 , < 12.3.1
(semver)
|
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Date Public ?
2026-01-27 09:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T04:55:19.556498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T21:45:54.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-01-27T09:05:28.422Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/markdown",
"value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
}
],
"value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:51.154Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21721"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21721",
"datePublished": "2026-01-27T09:07:55.160Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-24T08:00:51.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21720 (GCVE-0-2026-21720)
Vulnerability from cvelistv5 – Published: 2026-01-27 09:07 – Updated: 2026-04-24 08:00
VLAI?
Title
Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
Summary
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana-enterprise |
Affected:
3.0.0 , < 11.6.9
(semver)
|
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Date Public ?
2026-01-27 09:03
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21720",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T14:28:02.795937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T14:29:08.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-01-27T09:03:09.893Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/markdown",
"value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
}
],
"value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:48.727Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21720"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21720",
"datePublished": "2026-01-27T09:07:04.758Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-24T08:00:48.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41115 (GCVE-0-2025-41115)
Vulnerability from cvelistv5 – Published: 2025-11-21 14:25 – Updated: 2026-04-24 08:00
VLAI?
Title
Incorrect privilege assignment
Summary
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.
This vulnerability applies only if all of the following conditions are met:
- `enableSCIM` feature flag set to true
- `user_sync_enabled` config option in the `[auth.scim]` block set to true
Severity ?
10 (Critical)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana Enterprise |
Affected:
12.0.0 , < 12.2.1
(semver)
|
Date Public ?
2025-11-21 08:12
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-22T04:55:19.297964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:07:39.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.1",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-21T08:12:17.767Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/markdown",
"value": "SCIM provisioning was\u00a0introduced\u00a0in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.\n\nIn Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.\n\nThis vulnerability applies only if\u00a0all\u00a0of the following conditions are met:\n- `enableSCIM`\u00a0feature flag set to true\n- `user_sync_enabled`\u00a0config option in the\u00a0`[auth.scim]`\u00a0block set to true"
}
],
"value": "SCIM provisioning was\u00a0introduced\u00a0in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.\n\nIn Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.\n\nThis vulnerability applies only if\u00a0all\u00a0of the following conditions are met:\n- `enableSCIM`\u00a0feature flag set to true\n- `user_sync_enabled`\u00a0config option in the\u00a0`[auth.scim]`\u00a0block set to true"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T08:00:52.496Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-41115"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "Incorrect privilege assignment",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-41115",
"datePublished": "2025-11-21T14:25:38.945Z",
"dateReserved": "2025-04-16T09:19:26.442Z",
"dateUpdated": "2026-04-24T08:00:52.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}