Skip to main content

Grafana CVE-2025-3454

| EUVD-2025-16644 MEDIUM
Improper Authorization (CWE-285)
2025-06-02 security@grafana.com GHSA-9j65-rv5x-4vrf
Grafana Authentication Bypass Ubuntu Debian Red Hat Suse
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Ubuntu
MEDIUM
qualitative
SUSE
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 16:47 euvd
EUVD-2025-16644
Analysis Generated
Mar 14, 2026 - 16:47 vuln.today
CVE Published
Jun 02, 2025 - 11:15 nvd
MEDIUM 5.0

DescriptionCVE.org

This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.

Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.

The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.

Analysis

This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.

Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.

The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.

Technical ContextAI

This vulnerability is classified as Improper Authorization (CWE-285).

RemediationAI

Monitor vendor advisories for patches. Apply mitigations such as network segmentation, access restrictions, and monitoring.

More from same product – last 7 days

CVE-2026-11769 MEDIUM
6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat

Vendor StatusVendor

Ubuntu

Priority: Medium
grafana
Release Status Version
xenial needs-triage -
focal DNE -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -

Debian

grafana
Release Status Fixed Version Urgency
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Affected
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2025-3454 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy