Search

Find a vulnerability

Search criteria

    223 vulnerabilities found for grafana by grafana

    CVE-2026-42127 (GCVE-0-2026-42127)

    Vulnerability from nvd – Published: 2026-06-22 16:31 – Updated: 2026-06-22 17:28
    VLAI
    Title
    Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler
    Summary
    The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana Enterprise Affected: 0 , ≤ 11.6.14 (semver)
    Affected: 0 , ≤ 12.2.8 (semver)
    Affected: 0 , ≤ 12.3.6 (semver)
    Affected: 0 , ≤ 12.4.3 (semver)
    Affected: 0 , ≤ 13.0.1 (semver)
    Create a notification for this product.
    Grafana Grafana OSS Affected: 11.6.0 , ≤ 11.6.14 (semver)
    Affected: 12.2.0 , ≤ 12.2.8 (semver)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Create a notification for this product.
    Date Public
    2026-05-24 15:38
    Credits
    Charlie Lewis
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42127",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:28:16.184877Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:28:35.835Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana Enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Charlie Lewis"
            }
          ],
          "datePublic": "2026-05-24T15:38:07.115Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:28.096Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-42127"
            }
          ],
          "source": {
            "discovery": "EXTERNAL_REPORT"
          },
          "title": "Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-42127",
        "datePublished": "2026-06-22T16:31:28.096Z",
        "dateReserved": "2026-04-24T15:38:08.066Z",
        "dateUpdated": "2026-06-22T17:28:35.835Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9029 (GCVE-0-2026-9029)

    Vulnerability from nvd – Published: 2026-06-22 13:18 – Updated: 2026-06-24 15:55
    VLAI
    Title
    Stored XSS via Geomap Panel Template Variable Attribution Injection
    Summary
    The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 12.4.0 (semver)
    Create a notification for this product.
    Date Public
    2026-05-22 14:46
    Credits
    trailerb18 (Researcher)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9029",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T03:55:45.644989Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:55:58.092Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "OnPrem"
              ],
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "trailerb18 (Researcher)"
            }
          ],
          "datePublic": "2026-05-22T14:46:29.694Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The geomap panel\u0027s XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable\u0027s default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T13:18:40.770Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-9029"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Stored XSS via Geomap Panel Template Variable Attribution Injection",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-9029",
        "datePublished": "2026-06-22T13:18:40.770Z",
        "dateReserved": "2026-05-19T15:28:45.662Z",
        "dateUpdated": "2026-06-24T15:55:58.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10601 (GCVE-0-2026-10601)

    Vulnerability from nvd – Published: 2026-06-22 13:18 – Updated: 2026-06-24 15:54
    VLAI
    Title
    Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access
    Summary
    The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 11.6.0 (semver)
    Create a notification for this product.
    Date Public
    2026-06-06 13:55
    Credits
    homb (Researcher)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10601",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T15:44:03.006985Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:54:19.712Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Cloud",
                "OnPrem"
              ],
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "homb (Researcher)"
            }
          ],
          "datePublic": "2026-06-06T13:55:46.009Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki\u0027s CallResource which returns full HTTP response bodies."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T13:18:31.531Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-10601"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Path Traversal in Tempo and Loki Data Source Plugins \u2014 Credential Leakage and Admin Endpoint Access",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-10601",
        "datePublished": "2026-06-22T13:18:31.531Z",
        "dateReserved": "2026-06-02T09:57:26.570Z",
        "dateUpdated": "2026-06-24T15:54:19.712Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33381 (GCVE-0-2026-33381)

    Vulnerability from nvd – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Users can generate Service Account tokens after permissions removal
    Summary
    When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 9.2.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33381",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-16T03:55:59.990Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "9.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "When a user\u0027s access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:11.099Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-33381"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Users can generate Service Account tokens after permissions removal",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-33381",
        "datePublished": "2026-05-13T19:28:31.559Z",
        "dateReserved": "2026-03-19T07:55:06.978Z",
        "dateUpdated": "2026-06-22T16:31:11.099Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33380 (GCVE-0-2026-33380)

    Vulnerability from nvd – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    SQL Expressions Read File From Disk
    Summary
    A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-552 - Files or Directories Accessible to External Parties
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 11.6.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33380",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T15:12:34.365612Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-552",
                    "description": "CWE-552 Files or Directories Accessible to External Parties",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T15:12:46.748Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server\u0027s filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:12.990Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-33380"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "SQL Expressions Read File From Disk",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-33380",
        "datePublished": "2026-05-13T19:28:32.915Z",
        "dateReserved": "2026-03-19T07:55:06.978Z",
        "dateUpdated": "2026-06-22T16:31:12.990Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33378 (GCVE-0-2026-33378)

    Vulnerability from nvd – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro
    Summary
    Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 8.0.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33378",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T12:33:44.094482Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T12:33:58.842Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:25.643Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-33378"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-33378",
        "datePublished": "2026-05-13T19:28:37.606Z",
        "dateReserved": "2026-03-19T07:55:06.977Z",
        "dateUpdated": "2026-06-22T16:31:25.643Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33377 (GCVE-0-2026-33377)

    Vulnerability from nvd – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin
    Summary
    An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 8.5.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33377",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-16T03:55:59.661383Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-18T18:33:09.317Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "8.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:20.472Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-33377"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Dashboard Import Overwrites ACL \u2014 Editor Privilege Escalation to Dashboard Admin",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-33377",
        "datePublished": "2026-05-13T19:28:28.154Z",
        "dateReserved": "2026-03-19T07:55:06.977Z",
        "dateUpdated": "2026-06-22T16:31:20.472Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33376 (GCVE-0-2026-33376)

    Vulnerability from nvd – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Auth Proxy IPv6 whitelist bypass
    Summary
    When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1188 - Initialization of a Resource with an Insecure Default
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 9.4.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33376",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1188",
                    "description": "CWE-1188 Initialization of a Resource with an Insecure Default",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-16T03:56:01.168Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "9.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:29.856Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-33376"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Auth Proxy IPv6 whitelist bypass",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-33376",
        "datePublished": "2026-05-13T19:28:34.473Z",
        "dateReserved": "2026-03-19T07:55:06.977Z",
        "dateUpdated": "2026-06-22T16:31:29.856Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28383 (GCVE-0-2026-28383)

    Vulnerability from nvd – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Grafana plugin resources can lead to unbounded memory allocation
    Summary
    A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 6.7.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28383",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T12:35:48.301448Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T12:36:22.328Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "6.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:12.042Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-28383"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Grafana plugin resources can lead to unbounded memory allocation",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-28383",
        "datePublished": "2026-05-13T19:28:36.952Z",
        "dateReserved": "2026-02-27T07:16:12.219Z",
        "dateUpdated": "2026-06-22T16:31:12.042Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28380 (GCVE-0-2026-28380)

    Vulnerability from nvd – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    BAC in Snapshot API allows deletion of unauthorized dashboard snapshots
    Summary
    Any Editor could delete any snapshot, even if they have no access to read or write them.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 9.4.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28380",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T15:54:58.435055Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T15:55:03.357Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "9.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Any Editor could delete any snapshot, even if they have no access to read or write them."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:18.705Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-28380"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "BAC in Snapshot API allows deletion of unauthorized dashboard snapshots",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-28380",
        "datePublished": "2026-05-13T19:28:32.257Z",
        "dateReserved": "2026-02-27T07:16:12.218Z",
        "dateUpdated": "2026-06-22T16:31:18.705Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28379 (GCVE-0-2026-28379)

    Vulnerability from nvd – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Viewer-triggered race condition in Grafana Live leads to complete server crash
    Summary
    A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 8.2.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28379",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T18:12:23.118907Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-362",
                    "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T18:12:49.850Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "8.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:26.610Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-28379"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Viewer-triggered race condition in Grafana Live leads to complete server crash",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-28379",
        "datePublished": "2026-05-13T19:28:25.836Z",
        "dateReserved": "2026-02-27T07:16:12.218Z",
        "dateUpdated": "2026-06-22T16:31:26.610Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28376 (GCVE-0-2026-28376)

    Vulnerability from nvd – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Grafana Live push endpoint allows unbounded memory allocation leading to OOM
    Summary
    The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 8.0.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28376",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T18:10:50.762919Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T18:10:54.005Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:16.944Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-28376"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Grafana Live push endpoint allows unbounded memory allocation leading to OOM",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-28376",
        "datePublished": "2026-05-13T19:28:26.544Z",
        "dateReserved": "2026-02-27T07:16:12.218Z",
        "dateUpdated": "2026-06-22T16:31:16.944Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28374 (GCVE-0-2026-28374)

    Vulnerability from nvd – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    IDOR in Annotations API allows unprivileged users to DELETE annotation
    Summary
    Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 8.5.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28374",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T12:32:58.713813Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T12:33:13.749Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "8.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:30.736Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-28374"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "IDOR in Annotations API allows unprivileged users to DELETE annotation",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-28374",
        "datePublished": "2026-05-13T19:28:40.053Z",
        "dateReserved": "2026-02-27T07:16:12.218Z",
        "dateUpdated": "2026-06-22T16:31:30.736Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21727 (GCVE-0-2026-21727)

    Vulnerability from nvd – Published: 2026-04-15 18:57 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
    Summary
    --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana Correlations Affected: 10.2.0 , < 12.4.0 (semver)
    Create a notification for this product.
    Date Public
    2026-04-15 18:52
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21727",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T19:56:51.668906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-732",
                    "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-20T18:59:38.753Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana Correlations",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.4.0",
                  "status": "affected",
                  "version": "10.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-04-15T18:52:20.510Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "---\ntitle: Cross-Tenant Legacy Correlation Disclosure and Deletion\ndraft: false\nhero:\n  image: /static/img/heros/hero-legal2.svg\n  content: \"# Cross-Tenant Legacy Correlation Disclosure and Deletion\"\ndate: 2026-01-29\nproduct: Grafana\nseverity: Low\ncve: CVE-2026-21727\ncvss_score: \"3.3\"\ncvss_vector: \"CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\"\nfixed_versions:\n  - \"\u003e=11.6.11 \u003e=12.0.9 \u003e=12.1.6 \u003e=12.2.4\"\n---\nA cross-tenant isolation vulnerability was found in Grafana\u2019s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in \u003e=11.6.11, \u003e=12.0.9, \u003e=12.1.6, and \u003e=12.2.4.\n\nThanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:24.793Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-21727"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-21727",
        "datePublished": "2026-04-15T18:57:25.185Z",
        "dateReserved": "2026-01-05T09:26:06.215Z",
        "dateUpdated": "2026-06-22T16:31:24.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-12141 (GCVE-0-2025-12141)

    Vulnerability from nvd – Published: 2026-04-15 14:59 – Updated: 2026-04-15 18:45
    VLAI
    Title
    Grafana Alerting Editors can edit destination of webhooks they did not create
    Summary
    In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Grafana Grafana Alerting Affected: 8.0.0 , ≤ 12.3.0 (semver)
    Create a notification for this product.
    Date Public
    2025-12-16 20:56
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-12141",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T18:45:45.527327Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T18:45:53.672Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana Alerting",
              "repo": "https://github.com/grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "12.3.0",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-12-16T20:56:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003eIn Grafana\u0027s alerting system, users with edit permissions for a contact point, specifically the permissions \u201calert.notifications:write\u201d or \u201calert.notifications.receivers:test\u201d that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.\u003c/span\u003e"
                }
              ],
              "value": "In Grafana\u0027s alerting system, users with edit permissions for a contact point, specifically the permissions \u201calert.notifications:write\u201d or \u201calert.notifications.receivers:test\u201d that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-122",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-122 Privilege Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NEGLIGIBLE",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 1.3,
                "baseSeverity": "LOW",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/S:N/AU:Y",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Information Disclosure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T14:59:41.317Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "url": "https://grafana.com/security/security-advisories/cve-2025-12141/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Grafana Alerting Editors can edit destination of webhooks they did not create",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2025-12141",
        "datePublished": "2026-04-15T14:59:41.317Z",
        "dateReserved": "2025-10-24T07:07:00.941Z",
        "dateUpdated": "2026-04-15T18:45:53.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42127 (GCVE-0-2026-42127)

    Vulnerability from cvelistv5 – Published: 2026-06-22 16:31 – Updated: 2026-06-22 17:28
    VLAI
    Title
    Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler
    Summary
    The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana Enterprise Affected: 0 , ≤ 11.6.14 (semver)
    Affected: 0 , ≤ 12.2.8 (semver)
    Affected: 0 , ≤ 12.3.6 (semver)
    Affected: 0 , ≤ 12.4.3 (semver)
    Affected: 0 , ≤ 13.0.1 (semver)
    Create a notification for this product.
    Grafana Grafana OSS Affected: 11.6.0 , ≤ 11.6.14 (semver)
    Affected: 12.2.0 , ≤ 12.2.8 (semver)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Create a notification for this product.
    Date Public
    2026-05-24 15:38
    Credits
    Charlie Lewis
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42127",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:28:16.184877Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:28:35.835Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana Enterprise",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Charlie Lewis"
            }
          ],
          "datePublic": "2026-05-24T15:38:07.115Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:28.096Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-42127"
            }
          ],
          "source": {
            "discovery": "EXTERNAL_REPORT"
          },
          "title": "Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-42127",
        "datePublished": "2026-06-22T16:31:28.096Z",
        "dateReserved": "2026-04-24T15:38:08.066Z",
        "dateUpdated": "2026-06-22T17:28:35.835Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9029 (GCVE-0-2026-9029)

    Vulnerability from cvelistv5 – Published: 2026-06-22 13:18 – Updated: 2026-06-24 15:55
    VLAI
    Title
    Stored XSS via Geomap Panel Template Variable Attribution Injection
    Summary
    The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 12.4.0 (semver)
    Create a notification for this product.
    Date Public
    2026-05-22 14:46
    Credits
    trailerb18 (Researcher)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9029",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T03:55:45.644989Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:55:58.092Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "OnPrem"
              ],
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "trailerb18 (Researcher)"
            }
          ],
          "datePublic": "2026-05-22T14:46:29.694Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The geomap panel\u0027s XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable\u0027s default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T13:18:40.770Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-9029"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Stored XSS via Geomap Panel Template Variable Attribution Injection",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-9029",
        "datePublished": "2026-06-22T13:18:40.770Z",
        "dateReserved": "2026-05-19T15:28:45.662Z",
        "dateUpdated": "2026-06-24T15:55:58.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10601 (GCVE-0-2026-10601)

    Vulnerability from cvelistv5 – Published: 2026-06-22 13:18 – Updated: 2026-06-24 15:54
    VLAI
    Title
    Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access
    Summary
    The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 11.6.0 (semver)
    Create a notification for this product.
    Date Public
    2026-06-06 13:55
    Credits
    homb (Researcher)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10601",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T15:44:03.006985Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:54:19.712Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Cloud",
                "OnPrem"
              ],
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "homb (Researcher)"
            }
          ],
          "datePublic": "2026-06-06T13:55:46.009Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki\u0027s CallResource which returns full HTTP response bodies."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T13:18:31.531Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-10601"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Path Traversal in Tempo and Loki Data Source Plugins \u2014 Credential Leakage and Admin Endpoint Access",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-10601",
        "datePublished": "2026-06-22T13:18:31.531Z",
        "dateReserved": "2026-06-02T09:57:26.570Z",
        "dateUpdated": "2026-06-24T15:54:19.712Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28374 (GCVE-0-2026-28374)

    Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    IDOR in Annotations API allows unprivileged users to DELETE annotation
    Summary
    Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 8.5.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28374",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T12:32:58.713813Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T12:33:13.749Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "8.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:30.736Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-28374"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "IDOR in Annotations API allows unprivileged users to DELETE annotation",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-28374",
        "datePublished": "2026-05-13T19:28:40.053Z",
        "dateReserved": "2026-02-27T07:16:12.218Z",
        "dateUpdated": "2026-06-22T16:31:30.736Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33378 (GCVE-0-2026-33378)

    Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro
    Summary
    Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 8.0.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33378",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T12:33:44.094482Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T12:33:58.842Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:25.643Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-33378"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-33378",
        "datePublished": "2026-05-13T19:28:37.606Z",
        "dateReserved": "2026-03-19T07:55:06.977Z",
        "dateUpdated": "2026-06-22T16:31:25.643Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28383 (GCVE-0-2026-28383)

    Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Grafana plugin resources can lead to unbounded memory allocation
    Summary
    A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 6.7.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28383",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T12:35:48.301448Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T12:36:22.328Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "6.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:12.042Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-28383"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Grafana plugin resources can lead to unbounded memory allocation",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-28383",
        "datePublished": "2026-05-13T19:28:36.952Z",
        "dateReserved": "2026-02-27T07:16:12.219Z",
        "dateUpdated": "2026-06-22T16:31:12.042Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33376 (GCVE-0-2026-33376)

    Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Auth Proxy IPv6 whitelist bypass
    Summary
    When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1188 - Initialization of a Resource with an Insecure Default
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 9.4.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33376",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1188",
                    "description": "CWE-1188 Initialization of a Resource with an Insecure Default",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-16T03:56:01.168Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "9.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:29.856Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-33376"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Auth Proxy IPv6 whitelist bypass",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-33376",
        "datePublished": "2026-05-13T19:28:34.473Z",
        "dateReserved": "2026-03-19T07:55:06.977Z",
        "dateUpdated": "2026-06-22T16:31:29.856Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33380 (GCVE-0-2026-33380)

    Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    SQL Expressions Read File From Disk
    Summary
    A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-552 - Files or Directories Accessible to External Parties
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 11.6.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33380",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T15:12:34.365612Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-552",
                    "description": "CWE-552 Files or Directories Accessible to External Parties",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T15:12:46.748Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server\u0027s filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:12.990Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-33380"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "SQL Expressions Read File From Disk",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-33380",
        "datePublished": "2026-05-13T19:28:32.915Z",
        "dateReserved": "2026-03-19T07:55:06.978Z",
        "dateUpdated": "2026-06-22T16:31:12.990Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28380 (GCVE-0-2026-28380)

    Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    BAC in Snapshot API allows deletion of unauthorized dashboard snapshots
    Summary
    Any Editor could delete any snapshot, even if they have no access to read or write them.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 9.4.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28380",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T15:54:58.435055Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T15:55:03.357Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "9.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Any Editor could delete any snapshot, even if they have no access to read or write them."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:18.705Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-28380"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "BAC in Snapshot API allows deletion of unauthorized dashboard snapshots",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-28380",
        "datePublished": "2026-05-13T19:28:32.257Z",
        "dateReserved": "2026-02-27T07:16:12.218Z",
        "dateUpdated": "2026-06-22T16:31:18.705Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33381 (GCVE-0-2026-33381)

    Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Users can generate Service Account tokens after permissions removal
    Summary
    When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 9.2.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33381",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-16T03:55:59.990Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "9.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "When a user\u0027s access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:11.099Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-33381"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Users can generate Service Account tokens after permissions removal",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-33381",
        "datePublished": "2026-05-13T19:28:31.559Z",
        "dateReserved": "2026-03-19T07:55:06.978Z",
        "dateUpdated": "2026-06-22T16:31:11.099Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33377 (GCVE-0-2026-33377)

    Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin
    Summary
    An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 8.5.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33377",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-16T03:55:59.661383Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-18T18:33:09.317Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "8.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:20.472Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-33377"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Dashboard Import Overwrites ACL \u2014 Editor Privilege Escalation to Dashboard Admin",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-33377",
        "datePublished": "2026-05-13T19:28:28.154Z",
        "dateReserved": "2026-03-19T07:55:06.977Z",
        "dateUpdated": "2026-06-22T16:31:20.472Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28376 (GCVE-0-2026-28376)

    Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Grafana Live push endpoint allows unbounded memory allocation leading to OOM
    Summary
    The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 8.0.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28376",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T18:10:50.762919Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T18:10:54.005Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:16.944Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-28376"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Grafana Live push endpoint allows unbounded memory allocation leading to OOM",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-28376",
        "datePublished": "2026-05-13T19:28:26.544Z",
        "dateReserved": "2026-02-27T07:16:12.218Z",
        "dateUpdated": "2026-06-22T16:31:16.944Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28379 (GCVE-0-2026-28379)

    Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Viewer-triggered race condition in Grafana Live leads to complete server crash
    Summary
    A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana OSS Affected: 8.2.0 , ≤ 11.6.14 (semver)
    Affected: 11.6.14 , < 11.6.14+security-04 (custom)
    Affected: 12.0.0 , ≤ 12.2.8 (semver)
    Affected: 12.2.8 , < 12.2.8+security-04 (custom)
    Affected: 12.3.0 , ≤ 12.3.6 (semver)
    Affected: 12.3.6 , < 12.3.6+security-04 (custom)
    Affected: 12.4.0 , ≤ 12.4.3 (semver)
    Affected: 12.4.3 , < 12.4.3+security-02 (custom)
    Affected: 13.0.0 , ≤ 13.0.1 (semver)
    Affected: 13.0.1 , < 13.0.1+security-01 (custom)
    Create a notification for this product.
    Date Public
    2026-05-13 07:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28379",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T18:12:23.118907Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-362",
                    "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T18:12:49.850Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana OSS",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.14",
                  "status": "affected",
                  "version": "8.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.6.14+security-04",
                  "status": "affected",
                  "version": "11.6.14",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.2.8",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.2.8+security-04",
                  "status": "affected",
                  "version": "12.2.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.3.6",
                  "status": "affected",
                  "version": "12.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.3.6+security-04",
                  "status": "affected",
                  "version": "12.3.6",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "12.4.3",
                  "status": "affected",
                  "version": "12.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.4.3+security-02",
                  "status": "affected",
                  "version": "12.4.3",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "13.0.1",
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.0.1+security-01",
                  "status": "affected",
                  "version": "13.0.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-05-13T07:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:26.610Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-28379"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Viewer-triggered race condition in Grafana Live leads to complete server crash",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-28379",
        "datePublished": "2026-05-13T19:28:25.836Z",
        "dateReserved": "2026-02-27T07:16:12.218Z",
        "dateUpdated": "2026-06-22T16:31:26.610Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21727 (GCVE-0-2026-21727)

    Vulnerability from cvelistv5 – Published: 2026-04-15 18:57 – Updated: 2026-06-22 16:31
    VLAI
    Title
    Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
    Summary
    --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    Grafana Grafana Correlations Affected: 10.2.0 , < 12.4.0 (semver)
    Create a notification for this product.
    Date Public
    2026-04-15 18:52
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21727",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T19:56:51.668906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-732",
                    "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-20T18:59:38.753Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana Correlations",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "12.4.0",
                  "status": "affected",
                  "version": "10.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-04-15T18:52:20.510Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "---\ntitle: Cross-Tenant Legacy Correlation Disclosure and Deletion\ndraft: false\nhero:\n  image: /static/img/heros/hero-legal2.svg\n  content: \"# Cross-Tenant Legacy Correlation Disclosure and Deletion\"\ndate: 2026-01-29\nproduct: Grafana\nseverity: Low\ncve: CVE-2026-21727\ncvss_score: \"3.3\"\ncvss_vector: \"CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\"\nfixed_versions:\n  - \"\u003e=11.6.11 \u003e=12.0.9 \u003e=12.1.6 \u003e=12.2.4\"\n---\nA cross-tenant isolation vulnerability was found in Grafana\u2019s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in \u003e=11.6.11, \u003e=12.0.9, \u003e=12.1.6, and \u003e=12.2.4.\n\nThanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:31:24.793Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://grafana.com/security/security-advisories/cve-2026-21727"
            }
          ],
          "source": {
            "discovery": "BUG_BOUNTY"
          },
          "title": "Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2026-21727",
        "datePublished": "2026-04-15T18:57:25.185Z",
        "dateReserved": "2026-01-05T09:26:06.215Z",
        "dateUpdated": "2026-06-22T16:31:24.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-12141 (GCVE-0-2025-12141)

    Vulnerability from cvelistv5 – Published: 2026-04-15 14:59 – Updated: 2026-04-15 18:45
    VLAI
    Title
    Grafana Alerting Editors can edit destination of webhooks they did not create
    Summary
    In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Grafana Grafana Alerting Affected: 8.0.0 , ≤ 12.3.0 (semver)
    Create a notification for this product.
    Date Public
    2025-12-16 20:56
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-12141",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T18:45:45.527327Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T18:45:53.672Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Grafana Alerting",
              "repo": "https://github.com/grafana/grafana",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThanOrEqual": "12.3.0",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-12-16T20:56:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003eIn Grafana\u0027s alerting system, users with edit permissions for a contact point, specifically the permissions \u201calert.notifications:write\u201d or \u201calert.notifications.receivers:test\u201d that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.\u003c/span\u003e"
                }
              ],
              "value": "In Grafana\u0027s alerting system, users with edit permissions for a contact point, specifically the permissions \u201calert.notifications:write\u201d or \u201calert.notifications.receivers:test\u201d that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-122",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-122 Privilege Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NEGLIGIBLE",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 1.3,
                "baseSeverity": "LOW",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/S:N/AU:Y",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Information Disclosure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T14:59:41.317Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "url": "https://grafana.com/security/security-advisories/cve-2025-12141/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Grafana Alerting Editors can edit destination of webhooks they did not create",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2025-12141",
        "datePublished": "2026-04-15T14:59:41.317Z",
        "dateReserved": "2025-10-24T07:07:00.941Z",
        "dateUpdated": "2026-04-15T18:45:53.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }