Grafana
Monthly
Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to create GrafanaDashboard or GrafanaLibraryPanel resources to steal the Kubernetes service account token of the operator manager pod. The jsonnet templating language, supported via spec.jsonnetLib, is evaluated unsandboxed inside the operator manager pod, enabling a path traversal payload to read sensitive files - including the mounted service account token - and exfiltrate it through the resulting dashboard output. No public exploit is identified at time of analysis, but successful exploitation yields cluster-level privilege escalation, reflected in the vendor-assigned CVSS 4.0 subsequent-system impact of SC:H/SI:H.
Unauthenticated cross-origin read and write access to local development secrets in the Nhost CLI configserver affects all developers running `nhost dev` with CLI versions prior to 1.46.0. The hidden `configserver` subcommand exposes a Mimir GraphQL API with no-op authorization middleware and wildcard CORS (`Access-Control-Allow-Origin: *`), allowing any web page from an arbitrary origin to exfiltrate Hasura admin secrets, JWT signing keys, webhook secrets, and Grafana credentials, or inject attacker-controlled values into the local `.secrets` file. Publicly available exploit code exists within the security advisory itself; this CVE is not listed in CISA KEV, so no confirmed active exploitation in the wild is established at time of analysis.
Unbounded memory allocation in Grafana OSS's plugin resources endpoint allows any authenticated low-privileged user to trigger an out-of-memory condition by sending a sufficiently large HTTP request body, resulting in denial of service against the Grafana instance. Affected versions span a wide range from 6.7.0 through 13.0.1, with vendor-released security patches available across all supported branches. No public exploit exists and CISA has not added this to the KEV catalog; the EPSS score of 0.04% (12th percentile) reflects very low observed exploitation probability.
Arbitrary file read in Grafana OSS exposes server filesystem contents to authenticated low-privilege users when the sqlExpressions feature toggle is enabled. Affected versions span the 11.6.x, 12.x, and 13.0.x release trains, with fixed security builds available across all affected branches. No public exploit code exists and CISA has not added this to the Known Exploited Vulnerabilities catalog; however, the confidentiality impact is rated High by CVSS due to the potential for unrestricted file disclosure from the Grafana server's filesystem.
Unbounded memory allocation in Grafana OSS's Live push endpoint allows any authenticated user to exhaust server memory by submitting a large or streaming HTTP request body, resulting in an out-of-memory condition and denial of service. Confirmed affected branches span Grafana OSS 8.0.0 through 13.0.1 across five actively maintained release lines, with vendor-released security patches available for each. No public exploit code exists and CISA has not listed this in KEV; the EPSS score of 0.04% (12th percentile) and SSVC exploitation status of 'none' collectively indicate low current real-world exploitation activity.
Grafana Live's concurrent request handling exposes authenticated Viewer-role users as a denial-of-service vector: sending concurrent requests triggers a fatal map access error that crashes the entire Grafana server, requiring a manual restart to restore service. All Grafana OSS releases from 8.2.0 through 13.0.1 are affected across multiple maintained branches, making the exposure surface exceptionally broad. No public exploit identified at time of analysis and EPSS sits at 0.04% (12th percentile), but the low privilege bar - any Viewer account - and reliable triggering (AC:L) mean insider threats and compromised low-privilege accounts represent a realistic DoS risk for organizations without guest/anonymous access controls.
Sensitive credentials and personal data leak through production error logs in Valtimo's web module via LoggingRestClientCustomizer. The component intercepts all outgoing Spring RestClient HTTP calls and includes full request/response bodies and headers in HttpClientErrorException messages logged at ERROR level, exposing JWT tokens, API keys, OAuth tokens, session cookies, and personal data (BSN numbers, case details) to anyone with log access or Valtimo admin role. Vendor-released patches available for both affected release lines (12.33.0 and 13.26.0). No public exploit identified at time of analysis, but exploitation requires only privileged access to logs rather than technical exploitation of a code vulnerability.
--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.
Grafana versions prior to patching are vulnerable to denial-of-service attacks via maliciously crafted resample queries that exhaust server memory and trigger out-of-memory crashes. Authenticated users with query execution privileges can exploit this low-complexity remote vulnerability to disrupt service availability. No public exploit code or confirmed active exploitation has been identified at the time of analysis, though the attack surface is broad given Grafana's widespread deployment in monitoring infrastructure.
Grafana's testdata data-source plugin allows authenticated users to trigger out-of-memory (OOM) crashes, causing a denial of service affecting availability. The vulnerability requires low-privilege user authentication and network access to the affected Grafana instance, enabling local or remote attackers with valid credentials to exhaust server memory resources without user interaction. No public exploit code or active exploitation has been confirmed at the time of analysis.
Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. Only instances with the sqlExpressions feature toggle enabled are vulnerable, though Grafana recommends all users update to prevent future exploitation paths using this attack vector. No public exploit identified at time of analysis, and authentication as a high-privilege user is required per CVSS vector.
Grafana's OpenFeature feature toggle evaluation endpoint can be forced into an out-of-memory condition by submitting unbounded values, enabling remote denial-of-service attacks against the monitoring platform. The vulnerability is network-accessible, requires no authentication (CVSS AV:N/AC:L/PR:N), and has been assigned a CVSS score of 7.5 with high availability impact. No public exploit identified at time of analysis, and authentication requirements confirm unauthenticated access per the CVSS vector PR:N.
Grafana publicly exposes direct data-source credentials in public dashboards, allowing authenticated users to retrieve plaintext passwords for all configured direct data-sources regardless of whether those sources are actively referenced in the dashboard itself. Grafana versions affected by CVE-2026-27877 leak sensitive authentication material through an information disclosure vulnerability with a CVSS score of 6.5 (Medium severity). Authenticated attackers with access to public dashboards can extract database passwords, API keys, and other credentials without requiring additional privileges or user interaction. Proxied data-sources are not affected by this vulnerability.
Grafana Tempo leaks S3 SSE-C encryption keys in plaintext through its /status/config endpoint, enabling unauthenticated remote attackers to retrieve encryption keys protecting trace data stored in AWS S3. The CVSS score of 7.5 reflects high confidentiality impact with network-accessible attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, though the attack path is straightforward given the information disclosure nature of the vulnerability.
Grafana OSS provisioning contact points API fails to enforce the alert.notifications.receivers.protected:write permission, allowing users with the Editor role to modify protected webhook URLs and bypass intended authorization controls. This affects Grafana OSS versions 11.6.9 through 11.6.14, 12.1.5 through 12.1.10, 12.2.2 through 12.2.8, and 12.3.1 through 12.3.6. Authenticated Editor-level users can exploit this to reconfigure webhook destinations, potentially redirecting alert notifications to attacker-controlled endpoints. No public exploit identified at time of analysis.
Grafana MSSQL data source plugin versions across multiple release branches contain a logic flaw enabling low-privileged Viewer users to bypass API restrictions and trigger catastrophic out-of-memory exhaustion, resulting in host container denial of service. The vulnerability affects Grafana OSS versions 11.6.0 through 12.4.0 across multiple patch branches (11.6.14+security-01, 12.1.10+security-01, 12.2.8+security-01, 12.3.6+security-01, and 12.4.2 or later) and requires only network access and valid low-privileged credentials to exploit; no public exploit code or active exploitation has been confirmed at time of analysis.
Grafana Cubism Panel versions 0.1.2 and earlier contain a stored cross-site scripting (XSS) vulnerability where dashboard editors can inject malicious javascript: URIs into zoom-link handlers that execute with Grafana origin privileges when viewers interact with the panel. An authenticated attacker with editor permissions can craft a malicious dashboard that executes arbitrary JavaScript in the context of any user who zooms on the affected panel, potentially compromising sensitive data or session tokens.
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. [CVSS 2.6 LOW]
Grafana public dashboards with annotations enabled fail to enforce the dashboard's locked timerange restriction on annotation queries, allowing unauthenticated attackers to retrieve the complete annotation history beyond the intended viewing window. This information disclosure affects any organization exposing public dashboards with annotations, though only annotations already visible on the dashboard are accessible. No patch is currently available for this vulnerability.
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. [CVSS 6.8 MEDIUM]
Dashboard permission API fails to validate scope boundaries, allowing authenticated users with permission management rights on any single dashboard to read and modify permissions across all organization dashboards. This privilege escalation affects multi-user dashboard environments where permission isolation is expected. No patch is currently available.
Grafana is vulnerable to denial of service through resource exhaustion when processing uncached avatar requests with random hashes. Sustained requests cause goroutines to accumulate indefinitely due to timeout handling issues, eventually consuming all available memory and crashing the application. An unauthenticated remote attacker can exploit this vulnerability without user interaction to render affected Grafana instances unavailable.
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance,. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance,. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
CVE-2025-3260 is an authorization bypass vulnerability in Grafana's dashboard API endpoints (/apis/dashboard.grafana.app/*) that allows authenticated users to circumvent dashboard and folder permission controls across all API versions (v0alpha1, v1alpha1, v2alpha1). Affected users with viewer or editor roles can access, modify, or delete dashboards and folders they should not have permission to interact with, while organization isolation boundaries and datasource access controls remain unaffected. With a CVSS score of 8.3 and requiring only low-privilege authentication, this represents a significant risk to multi-tenant Grafana deployments and requires immediate patching.
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Tempo Operator incorrectly grants cluster-monitoring-view ClusterRole permissions to Tempo service accounts when Jaeger UI Monitor Tab is enabled, allowing authenticated users with TempoStack creation and Secret read permissions in a namespace to extract the service account token and gain unauthorized access to all cluster metrics. The vulnerability affects Grafana Tempo Operator and carries a CVSS score of 4.3 with low EPSS exploitation probability (0.21%, 44th percentile), indicating limited real-world attack likelihood despite the information disclosure impact. No public exploit code or active exploitation has been confirmed at time of analysis.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Grafana received a security fix packaged as version 12.4.4-r0 in Alpine Linux. The nature of the underlying vulnerability is not disclosed in the available intelligence - no CVE description, CWE classification, CVSS vector, or vendor advisory has been provided. The fix is confirmed only through Alpine Linux's package repository reporting. Security teams running Grafana on Alpine Linux should treat the 12.4.4-r0 package as the minimum safe version pending disclosure of full vulnerability details.
Grafana received a security fix in Alpine Linux's package repository, published as version 12.4.4-r0. The underlying vulnerability details, attack vector, and impact class are not disclosed in available intelligence data. No CVSS score, CWE classification, or vendor advisory from Grafana Labs has been identified at time of analysis, making independent risk assessment impossible beyond confirming that Alpine Linux maintainers deemed the fix security-relevant.
Grafana packaged for Alpine Linux contains an unspecified vulnerability addressed in Alpine package version 12.4.4-r0. The upstream Grafana version corresponding to the fix is 12.4.4. The nature of the vulnerability, its impact category, affected version range, and exploitation conditions are not disclosed in the available intelligence. No public exploit identified at time of analysis.
Grafana, as packaged in Alpine Linux, contains a vulnerability addressed in the Alpine package release 12.4.4-r0. The upstream Grafana version fixed is 12.4.4. The nature, impact, and exploitability of the underlying vulnerability are not disclosed in the available intelligence - only the fix packaging metadata has been published by the Alpine Linux vendor. Security teams running Grafana on Alpine Linux should treat this as a security-relevant update requiring investigation against Grafana upstream advisories.
Grafana on Alpine Linux was patched at package version 12.4.4-r0, addressing CVE-2026-42127. The underlying vulnerability type, attack vector, and impact have not been disclosed in the available intelligence - only the Alpine Linux vendor advisory confirming a fix is present. No CVSS score, CWE classification, or description of the flaw has been provided, making authoritative characterization impossible at this time.
Grafana, as packaged in Alpine Linux, contains a vulnerability fixed in package version 12.4.4-r0. The upstream Grafana version addressed is 12.4.4. The nature of the vulnerability - its impact class, affected functionality, and attacker capability - cannot be characterized from the available data, which consists solely of an Alpine Linux vendor advisory reference with no description, CVSS vector, CWE classification, or upstream advisory. No exploitation status has been established.
Grafana received a security fix in Alpine Linux package version 12.4.4-r0, addressing an unspecified vulnerability tracked as CVE-2026-8595. The nature of the vulnerability, affected component, and attacker capabilities are not disclosed in the available intelligence. No CVSS score, CWE classification, or upstream Grafana advisory has been provided, making independent risk assessment impossible at this time.
Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to create GrafanaDashboard or GrafanaLibraryPanel resources to steal the Kubernetes service account token of the operator manager pod. The jsonnet templating language, supported via spec.jsonnetLib, is evaluated unsandboxed inside the operator manager pod, enabling a path traversal payload to read sensitive files - including the mounted service account token - and exfiltrate it through the resulting dashboard output. No public exploit is identified at time of analysis, but successful exploitation yields cluster-level privilege escalation, reflected in the vendor-assigned CVSS 4.0 subsequent-system impact of SC:H/SI:H.
Unauthenticated cross-origin read and write access to local development secrets in the Nhost CLI configserver affects all developers running `nhost dev` with CLI versions prior to 1.46.0. The hidden `configserver` subcommand exposes a Mimir GraphQL API with no-op authorization middleware and wildcard CORS (`Access-Control-Allow-Origin: *`), allowing any web page from an arbitrary origin to exfiltrate Hasura admin secrets, JWT signing keys, webhook secrets, and Grafana credentials, or inject attacker-controlled values into the local `.secrets` file. Publicly available exploit code exists within the security advisory itself; this CVE is not listed in CISA KEV, so no confirmed active exploitation in the wild is established at time of analysis.
Unbounded memory allocation in Grafana OSS's plugin resources endpoint allows any authenticated low-privileged user to trigger an out-of-memory condition by sending a sufficiently large HTTP request body, resulting in denial of service against the Grafana instance. Affected versions span a wide range from 6.7.0 through 13.0.1, with vendor-released security patches available across all supported branches. No public exploit exists and CISA has not added this to the KEV catalog; the EPSS score of 0.04% (12th percentile) reflects very low observed exploitation probability.
Arbitrary file read in Grafana OSS exposes server filesystem contents to authenticated low-privilege users when the sqlExpressions feature toggle is enabled. Affected versions span the 11.6.x, 12.x, and 13.0.x release trains, with fixed security builds available across all affected branches. No public exploit code exists and CISA has not added this to the Known Exploited Vulnerabilities catalog; however, the confidentiality impact is rated High by CVSS due to the potential for unrestricted file disclosure from the Grafana server's filesystem.
Unbounded memory allocation in Grafana OSS's Live push endpoint allows any authenticated user to exhaust server memory by submitting a large or streaming HTTP request body, resulting in an out-of-memory condition and denial of service. Confirmed affected branches span Grafana OSS 8.0.0 through 13.0.1 across five actively maintained release lines, with vendor-released security patches available for each. No public exploit code exists and CISA has not listed this in KEV; the EPSS score of 0.04% (12th percentile) and SSVC exploitation status of 'none' collectively indicate low current real-world exploitation activity.
Grafana Live's concurrent request handling exposes authenticated Viewer-role users as a denial-of-service vector: sending concurrent requests triggers a fatal map access error that crashes the entire Grafana server, requiring a manual restart to restore service. All Grafana OSS releases from 8.2.0 through 13.0.1 are affected across multiple maintained branches, making the exposure surface exceptionally broad. No public exploit identified at time of analysis and EPSS sits at 0.04% (12th percentile), but the low privilege bar - any Viewer account - and reliable triggering (AC:L) mean insider threats and compromised low-privilege accounts represent a realistic DoS risk for organizations without guest/anonymous access controls.
Sensitive credentials and personal data leak through production error logs in Valtimo's web module via LoggingRestClientCustomizer. The component intercepts all outgoing Spring RestClient HTTP calls and includes full request/response bodies and headers in HttpClientErrorException messages logged at ERROR level, exposing JWT tokens, API keys, OAuth tokens, session cookies, and personal data (BSN numbers, case details) to anyone with log access or Valtimo admin role. Vendor-released patches available for both affected release lines (12.33.0 and 13.26.0). No public exploit identified at time of analysis, but exploitation requires only privileged access to logs rather than technical exploitation of a code vulnerability.
--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.
Grafana versions prior to patching are vulnerable to denial-of-service attacks via maliciously crafted resample queries that exhaust server memory and trigger out-of-memory crashes. Authenticated users with query execution privileges can exploit this low-complexity remote vulnerability to disrupt service availability. No public exploit code or confirmed active exploitation has been identified at the time of analysis, though the attack surface is broad given Grafana's widespread deployment in monitoring infrastructure.
Grafana's testdata data-source plugin allows authenticated users to trigger out-of-memory (OOM) crashes, causing a denial of service affecting availability. The vulnerability requires low-privilege user authentication and network access to the affected Grafana instance, enabling local or remote attackers with valid credentials to exhaust server memory resources without user interaction. No public exploit code or active exploitation has been confirmed at the time of analysis.
Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. Only instances with the sqlExpressions feature toggle enabled are vulnerable, though Grafana recommends all users update to prevent future exploitation paths using this attack vector. No public exploit identified at time of analysis, and authentication as a high-privilege user is required per CVSS vector.
Grafana's OpenFeature feature toggle evaluation endpoint can be forced into an out-of-memory condition by submitting unbounded values, enabling remote denial-of-service attacks against the monitoring platform. The vulnerability is network-accessible, requires no authentication (CVSS AV:N/AC:L/PR:N), and has been assigned a CVSS score of 7.5 with high availability impact. No public exploit identified at time of analysis, and authentication requirements confirm unauthenticated access per the CVSS vector PR:N.
Grafana publicly exposes direct data-source credentials in public dashboards, allowing authenticated users to retrieve plaintext passwords for all configured direct data-sources regardless of whether those sources are actively referenced in the dashboard itself. Grafana versions affected by CVE-2026-27877 leak sensitive authentication material through an information disclosure vulnerability with a CVSS score of 6.5 (Medium severity). Authenticated attackers with access to public dashboards can extract database passwords, API keys, and other credentials without requiring additional privileges or user interaction. Proxied data-sources are not affected by this vulnerability.
Grafana Tempo leaks S3 SSE-C encryption keys in plaintext through its /status/config endpoint, enabling unauthenticated remote attackers to retrieve encryption keys protecting trace data stored in AWS S3. The CVSS score of 7.5 reflects high confidentiality impact with network-accessible attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, though the attack path is straightforward given the information disclosure nature of the vulnerability.
Grafana OSS provisioning contact points API fails to enforce the alert.notifications.receivers.protected:write permission, allowing users with the Editor role to modify protected webhook URLs and bypass intended authorization controls. This affects Grafana OSS versions 11.6.9 through 11.6.14, 12.1.5 through 12.1.10, 12.2.2 through 12.2.8, and 12.3.1 through 12.3.6. Authenticated Editor-level users can exploit this to reconfigure webhook destinations, potentially redirecting alert notifications to attacker-controlled endpoints. No public exploit identified at time of analysis.
Grafana MSSQL data source plugin versions across multiple release branches contain a logic flaw enabling low-privileged Viewer users to bypass API restrictions and trigger catastrophic out-of-memory exhaustion, resulting in host container denial of service. The vulnerability affects Grafana OSS versions 11.6.0 through 12.4.0 across multiple patch branches (11.6.14+security-01, 12.1.10+security-01, 12.2.8+security-01, 12.3.6+security-01, and 12.4.2 or later) and requires only network access and valid low-privileged credentials to exploit; no public exploit code or active exploitation has been confirmed at time of analysis.
Grafana Cubism Panel versions 0.1.2 and earlier contain a stored cross-site scripting (XSS) vulnerability where dashboard editors can inject malicious javascript: URIs into zoom-link handlers that execute with Grafana origin privileges when viewers interact with the panel. An authenticated attacker with editor permissions can craft a malicious dashboard that executes arbitrary JavaScript in the context of any user who zooms on the affected panel, potentially compromising sensitive data or session tokens.
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. [CVSS 2.6 LOW]
Grafana public dashboards with annotations enabled fail to enforce the dashboard's locked timerange restriction on annotation queries, allowing unauthenticated attackers to retrieve the complete annotation history beyond the intended viewing window. This information disclosure affects any organization exposing public dashboards with annotations, though only annotations already visible on the dashboard are accessible. No patch is currently available for this vulnerability.
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. [CVSS 6.8 MEDIUM]
Dashboard permission API fails to validate scope boundaries, allowing authenticated users with permission management rights on any single dashboard to read and modify permissions across all organization dashboards. This privilege escalation affects multi-user dashboard environments where permission isolation is expected. No patch is currently available.
Grafana is vulnerable to denial of service through resource exhaustion when processing uncached avatar requests with random hashes. Sustained requests cause goroutines to accumulate indefinitely due to timeout handling issues, eventually consuming all available memory and crashing the application. An unauthenticated remote attacker can exploit this vulnerability without user interaction to render affected Grafana instances unavailable.
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance,. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance,. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
CVE-2025-3260 is an authorization bypass vulnerability in Grafana's dashboard API endpoints (/apis/dashboard.grafana.app/*) that allows authenticated users to circumvent dashboard and folder permission controls across all API versions (v0alpha1, v1alpha1, v2alpha1). Affected users with viewer or editor roles can access, modify, or delete dashboards and folders they should not have permission to interact with, while organization isolation boundaries and datasource access controls remain unaffected. With a CVSS score of 8.3 and requiring only low-privilege authentication, this represents a significant risk to multi-tenant Grafana deployments and requires immediate patching.
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Tempo Operator incorrectly grants cluster-monitoring-view ClusterRole permissions to Tempo service accounts when Jaeger UI Monitor Tab is enabled, allowing authenticated users with TempoStack creation and Secret read permissions in a namespace to extract the service account token and gain unauthorized access to all cluster metrics. The vulnerability affects Grafana Tempo Operator and carries a CVSS score of 4.3 with low EPSS exploitation probability (0.21%, 44th percentile), indicating limited real-world attack likelihood despite the information disclosure impact. No public exploit code or active exploitation has been confirmed at time of analysis.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Grafana received a security fix packaged as version 12.4.4-r0 in Alpine Linux. The nature of the underlying vulnerability is not disclosed in the available intelligence - no CVE description, CWE classification, CVSS vector, or vendor advisory has been provided. The fix is confirmed only through Alpine Linux's package repository reporting. Security teams running Grafana on Alpine Linux should treat the 12.4.4-r0 package as the minimum safe version pending disclosure of full vulnerability details.
Grafana received a security fix in Alpine Linux's package repository, published as version 12.4.4-r0. The underlying vulnerability details, attack vector, and impact class are not disclosed in available intelligence data. No CVSS score, CWE classification, or vendor advisory from Grafana Labs has been identified at time of analysis, making independent risk assessment impossible beyond confirming that Alpine Linux maintainers deemed the fix security-relevant.
Grafana packaged for Alpine Linux contains an unspecified vulnerability addressed in Alpine package version 12.4.4-r0. The upstream Grafana version corresponding to the fix is 12.4.4. The nature of the vulnerability, its impact category, affected version range, and exploitation conditions are not disclosed in the available intelligence. No public exploit identified at time of analysis.
Grafana, as packaged in Alpine Linux, contains a vulnerability addressed in the Alpine package release 12.4.4-r0. The upstream Grafana version fixed is 12.4.4. The nature, impact, and exploitability of the underlying vulnerability are not disclosed in the available intelligence - only the fix packaging metadata has been published by the Alpine Linux vendor. Security teams running Grafana on Alpine Linux should treat this as a security-relevant update requiring investigation against Grafana upstream advisories.
Grafana on Alpine Linux was patched at package version 12.4.4-r0, addressing CVE-2026-42127. The underlying vulnerability type, attack vector, and impact have not been disclosed in the available intelligence - only the Alpine Linux vendor advisory confirming a fix is present. No CVSS score, CWE classification, or description of the flaw has been provided, making authoritative characterization impossible at this time.
Grafana, as packaged in Alpine Linux, contains a vulnerability fixed in package version 12.4.4-r0. The upstream Grafana version addressed is 12.4.4. The nature of the vulnerability - its impact class, affected functionality, and attacker capability - cannot be characterized from the available data, which consists solely of an Alpine Linux vendor advisory reference with no description, CVSS vector, CWE classification, or upstream advisory. No exploitation status has been established.
Grafana received a security fix in Alpine Linux package version 12.4.4-r0, addressing an unspecified vulnerability tracked as CVE-2026-8595. The nature of the vulnerability, affected component, and attacker capabilities are not disclosed in the available intelligence. No CVSS score, CWE classification, or upstream Grafana advisory has been provided, making independent risk assessment impossible at this time.