EUVD-2026-16338

| CVE-2026-21724 MEDIUM
2026-03-26 GRAFANA GHSA-7g92-g4vh-hp84
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch Released
Apr 09, 2026 - 14:30 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16338
CVE Published
Mar 26, 2026 - 20:06 nvd
MEDIUM 5.4

Tags

Grafana Authentication Bypass Redhat Suse

Description

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Analysis

Grafana OSS provisioning contact points API fails to enforce the alert.notifications.receivers.protected:write permission, allowing users with the Editor role to modify protected webhook URLs and bypass intended authorization controls. This affects Grafana OSS versions 11.6.9 through 11.6.14, 12.1.5 through 12.1.10, 12.2.2 through 12.2.8, and 12.3.1 through 12.3.6. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Vendor Status

Share

EUVD-2026-16338 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy