Skip to main content

Grafana EUVD-2026-16596

| CVE-2026-27877 MEDIUM
Cleartext Storage of Sensitive Information (CWE-312)
2026-03-27 GRAFANA GHSA-3q27-7qjq-p9c5
Information Disclosure Grafana
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 03, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 14:30 euvd
EUVD-2026-16596
Analysis Generated
Mar 27, 2026 - 14:30 vuln.today
CVE Published
Mar 27, 2026 - 14:02 nvd
MEDIUM 6.5

DescriptionCVE.org

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.

No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

AnalysisAI

Grafana publicly exposes direct data-source credentials in public dashboards, allowing authenticated users to retrieve plaintext passwords for all configured direct data-sources regardless of whether those sources are actively referenced in the dashboard itself. Grafana versions affected by CVE-2026-27877 leak sensitive authentication material through an information disclosure vulnerability with a CVSS score of 6.5 (Medium severity). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network-based attack vector with low complexity and low privilege requirements (PR:L = authenticated attacker), resulting in high confidentiality impact but no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Grafana user with access to any public dashboard can send API requests to enumerate or retrieve the dashboard configuration, which includes embedded direct data-source credentials. If a public dashboard exists (intentionally or by misconfiguration), an attacker with minimal Grafana access can extract plaintext database passwords or API keys for backend systems. …
Remediation Immediately review Grafana's security advisory at https://grafana.com/security/security-advisories/cve-2026-27877 to identify and deploy the patched version for your deployment. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11769 MEDIUM
6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Manager Client Tools 15 Fixed
SUSE Manager Client Tools for SLE 15 Fixed
SUSE Multi-Linux Manager Client Tools for SLE 15 Fixed
openSUSE Leap 15.6 Fixed

Share

EUVD-2026-16596 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy