EUVD-2025-16627

| CVE-2025-3260 HIGH
2025-06-02 [email protected] GHSA-3px7-c4j3-576r
8.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 16:47 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 16:47 euvd
EUVD-2025-16627
CVE Published
Jun 02, 2025 - 10:15 nvd
HIGH 8.3

Tags

Grafana Authentication Bypass Privilege Escalation Information Disclosure Redhat Suse

Description

A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.

Analysis

CVE-2025-3260 is an authorization bypass vulnerability in Grafana's dashboard API endpoints (/apis/dashboard.grafana.app/*) that allows authenticated users to circumvent dashboard and folder permission controls across all API versions (v0alpha1, v1alpha1, v2alpha1). Affected users with viewer or editor roles can access, modify, or delete dashboards and folders they should not have permission to interact with, while organization isolation boundaries and datasource access controls remain unaffected. With a CVSS score of 8.3 and requiring only low-privilege authentication, this represents a significant risk to multi-tenant Grafana deployments and requires immediate patching.

Technical Context

The vulnerability exists in Grafana's Kubernetes-native dashboard API endpoints that implement role-based access control (RBAC) for dashboard and folder resources. The affected endpoints use API groups under dashboard.grafana.app and span multiple API versions (v0alpha1, v1alpha1, v2alpha1), suggesting Grafana's evolving custom resource definitions (CRDs) or API framework. The root cause is classified as CWE-863 (Incorrect Authorization), indicating a logic flaw in permission validation rather than an authentication bypass. The vulnerability likely stems from insufficient permission checks at the API handler level, where the system validates user roles (viewer/editor) but fails to properly enforce folder-level or dashboard-level access control lists (ACLs). This is distinct from datasource access, suggesting the permission logic is compartmentalized and only dashboard/folder authorization is affected. The fact that anonymous users with assigned roles are also vulnerable indicates the flaw exists in the role-permission mapping layer rather than session/identity management.

Affected Products

Grafana (all versions with /apis/dashboard.grafana.app/* endpoints). The vulnerability affects: (1) Grafana with viewer role users—can view all dashboards/folders; (2) Grafana with editor role users—can view, edit, delete all dashboards/folders and create dashboards in any folder; (3) Grafana instances with anonymous access enabled and viewer/editor role assignment. The CPE string would be approximately 'cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*' with a version constraint requiring discovery of the affected version range from Grafana's official security advisory. The API endpoints affected (dashboard.grafana.app v0alpha1, v1alpha1, v2alpha1) suggest this impacts Grafana instances supporting Kubernetes-native dashboard APIs, typically found in Grafana 7.0+ with custom resource definitions enabled. Organization isolation remains intact, limiting scope to dashboard/folder resources only.

Remediation

1. IMMEDIATE: Upgrade Grafana to a patched version once released by Grafana Labs (check official security advisories at https://grafana.com/security/ for CVE-2025-3260). 2. INTERIM MITIGATION (if patching is delayed): Implement network-level access restrictions to the /apis/dashboard.grafana.app/* endpoints using API gateway, reverse proxy, or service mesh policies (e.g., Kubernetes NetworkPolicy or Istio AuthorizationPolicy). 3. Restrict API access to trusted internal clients only; disable anonymous access if not required. 4. Audit dashboard access logs to identify unauthorized access patterns (users accessing dashboards outside their role scope). 5. Implement RBAC policy review: ensure dashboard and folder permissions are explicitly defined and do not rely solely on API-level authorization. 6. Monitor for patch release from Grafana Labs and apply immediately upon availability. Reference: Grafana official security advisory (pending release with patched version numbers).

Priority Score

42
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +42
POC: 0

Vendor Status

Ubuntu

Priority: Medium
grafana
Release Status Version
xenial needs-triage -
focal DNE -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -

Debian

grafana
Release Status Fixed Version Urgency
(unstable) fixed (unfixed) -

Share

EUVD-2025-16627 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy