Skip to main content

Grafana CVE-2026-21721

HIGH
Incorrect Authorization (CWE-863)
2026-01-27 security@grafana.com
Privilege Escalation Authentication Bypass Grafana
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
8.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 20, 2026 - 17:52 vuln.today
cvss_changed
Patch released
Apr 09, 2026 - 14:30 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Jan 27, 2026 - 09:15 nvd
HIGH 8.1

DescriptionCVE.org

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

AnalysisAI

Dashboard permission API fails to validate scope boundaries, allowing authenticated users with permission management rights on any single dashboard to read and modify permissions across all organization dashboards. This privilege escalation affects multi-user dashboard environments where permission isolation is expected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with dashboard permission rights
Delivery
Access permissions API endpoint
Exploit
Omit target dashboard scope parameter
Execution
Modify permissions on arbitrary dashboards
Impact
Escalate privileges across organization
Sign in to reveal

Vulnerability AssessmentAI

Exploitation User account with dashboards.permissions:* action permission on at least one dashboard within the same organization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.1 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker could exploit this vulnerability to compromise the affected system.
Remediation Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all users with dashboards.permissions:* action and audit recent permission changes across all dashboards; disable the permissions API if operationally feasible or restrict it to administrators only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11769 MEDIUM
6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/manager/5.0/x86_64/server:latest Affected
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Manager Client Tools 15 Fixed
SUSE Manager Client Tools for SLE Micro 5 Fixed

Share

CVE-2026-21721 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy