What is the CVSS score of CVE-2025-3260?

CVE-2025-3260 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Grafana are affected by CVE-2025-3260?

A high-severity vulnerability in Grafana's dashboard API allows authenticated users to view, edit, and delete dashboards and folders without proper authorization restrictions.. A patch is available.

How to fix or mitigate CVE-2025-3260?

Within 24 hours: Inventory all Grafana instances and identify users with viewer/editor roles; document current dashboard sensitivity levels and access controls. Within 7 days: Implement network-level access restrictions to /apis/dashboard.grafana.app/* endpoints; disable anonymous viewer/editor role assignments if not critical; enable detailed audit logging for all dashboard API calls. Within 30 days: Transition to alternative read-only monitoring dashboards where feasible; establish temporary approval workflows for dashboard access requests; monitor vendor for patch availability and apply immediately upon release.

Grafana CVE-2025-3260

EUVD-2025-16627 HIGH

Incorrect Authorization (CWE-863)

2025-06-02 security@grafana.com

GHSA-3px7-c4j3-576r

Grafana Authentication Bypass Privilege Escalation Information Disclosure Red Hat Suse

8.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.3 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Ubuntu

MEDIUM

qualitative

SUSE

HIGH

qualitative

Red Hat

8.5 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 16:47 euvd

EUVD-2025-16627

Analysis Generated

Mar 14, 2026 - 16:47 vuln.today

CVE Published

Jun 02, 2025 - 10:15 nvd

HIGH 8.3

DescriptionCVE.org

A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).

Impact:

Viewers can view all dashboards/folders regardless of permissions
Editors can view/edit/delete all dashboards/folders regardless of permissions
Editors can create dashboards in any folder regardless of permissions
Anonymous users with viewer/editor roles are similarly affected

Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.

AnalysisAI

CVE-2025-3260 is an authorization bypass vulnerability in Grafana's dashboard API endpoints (/apis/dashboard.grafana.app/*) that allows authenticated users to circumvent dashboard and folder permission controls across all API versions (v0alpha1, v1alpha1, v2alpha1). Affected users with viewer or editor roles can access, modify, or delete dashboards and folders they should not have permission to interact with, while organization isolation boundaries and datasource access controls remain unaffected. With a CVSS score of 8.3 and requiring only low-privilege authentication, this represents a significant risk to multi-tenant Grafana deployments and requires immediate patching.

Technical ContextAI

The vulnerability exists in Grafana's Kubernetes-native dashboard API endpoints that implement role-based access control (RBAC) for dashboard and folder resources. The affected endpoints use API groups under dashboard.grafana.app and span multiple API versions (v0alpha1, v1alpha1, v2alpha1), suggesting Grafana's evolving custom resource definitions (CRDs) or API framework. The root cause is classified as CWE-863 (Incorrect Authorization), indicating a logic flaw in permission validation rather than an authentication bypass. The vulnerability likely stems from insufficient permission checks at the API handler level, where the system validates user roles (viewer/editor) but fails to properly enforce folder-level or dashboard-level access control lists (ACLs). This is distinct from datasource access, suggesting the permission logic is compartmentalized and only dashboard/folder authorization is affected. The fact that anonymous users with assigned roles are also vulnerable indicates the flaw exists in the role-permission mapping layer rather than session/identity management.

RemediationAI

IMMEDIATE: Upgrade Grafana to a patched version once released by Grafana Labs (check official security advisories at https://grafana.com/security/ for CVE-2025-3260). 2. INTERIM MITIGATION (if patching is delayed): Implement network-level access restrictions to the /apis/dashboard.grafana.app/* endpoints using API gateway, reverse proxy, or service mesh policies (e.g., Kubernetes NetworkPolicy or Istio AuthorizationPolicy). 3. Restrict API access to trusted internal clients only; disable anonymous access if not required. 4. Audit dashboard access logs to identify unauthorized access patterns (users accessing dashboards outside their role scope). 5. Implement RBAC policy review: ensure dashboard and folder permissions are explicitly defined and do not rely solely on API-level authorization. 6. Monitor for patch release from Grafana Labs and apply immediately upon availability. Reference: Grafana official security advisory (pending release with patched version numbers).

More from same product – last 7 days

CVE-2026-11769 MEDIUM This Month

6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat

Vendor StatusVendor

Ubuntu

Priority: Medium

grafana

Release	Status	Version
xenial	needs-triage	-
focal	DNE	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

Debian

grafana

Release	Status	Fixed Version	Urgency
(unstable)	fixed	(unfixed)	-

SUSE

Severity: High

Product	Status
SUSE Linux Enterprise Server 16.0	Fixed
openSUSE Tumbleweed	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7	Fixed
SUSE Linux Enterprise Server 16.1	Fixed
SUSE Linux Enterprise Server for SAP applications 16.1	Fixed

CVE-2025-3260 vulnerability details – vuln.today

Back

SUSE Manager Client Tools 15	Fixed
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP4	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6	Fixed
openSUSE Leap 15.3	Fixed
openSUSE Leap 15.4	Fixed
openSUSE Leap 15.5	Fixed
SUSE Multi Linux Manager Tools SLE-15	Fixed

Grafana CVE-2025-3260

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

SUSE

Share

External POC / Exploit Code