What is the CVSS score of CVE-2026-21725?

CVE-2026-21725 has a CVSS 3.1 base score of 2.6 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L. EPSS exploitation probability: 0.0%.

Which versions of Grafana are affected by CVE-2026-21725?

CVE-2026-21725 is a low-severity vulnerability (CVSS 2.6). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation.

How to fix or mitigate CVE-2026-21725?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Grafana CVE-2026-21725

LOW

Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

2026-02-25 security@grafana.com

Grafana Information Disclosure

2.6

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

2.6 LOW

AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 25, 2026 - 13:16 nvd

LOW 2.6

DescriptionCVE.org

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.

This requires several very stringent conditions to be met:

The attacker must have admin access to the specific datasource prior to its first deletion.
Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.
The attacker must delete the datasource, then someone must recreate it.
The new datasource must not have the attacker as an admin.
The new datasource must have the same UID as the prior datasource. These are randomised by default.
The datasource can now be re-deleted by the attacker.
Once 30 seconds are up, the attack is spent and cannot be repeated.
No datasource with any other UID can be attacked.

AnalysisAI

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. [CVSS 2.6 LOW]

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 2.6 (LOW). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker (requires authentication) could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

During next maintenance window: Apply vendor patches when convenient. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11769 MEDIUM This Month

6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat

CVE-2026-21725 vulnerability details – vuln.today

Back