Grafana
Monthly
Grafana versions prior to patching are vulnerable to denial-of-service attacks via maliciously crafted resample queries that exhaust server memory and trigger out-of-memory crashes. Authenticated users with query execution privileges can exploit this low-complexity remote vulnerability to disrupt service availability. No public exploit code or confirmed active exploitation has been identified at the time of analysis, though the attack surface is broad given Grafana's widespread deployment in monitoring infrastructure.
Grafana's testdata data-source plugin allows authenticated users to trigger out-of-memory (OOM) crashes, causing a denial of service affecting availability. The vulnerability requires low-privilege user authentication and network access to the affected Grafana instance, enabling local or remote attackers with valid credentials to exhaust server memory resources without user interaction. No public exploit code or active exploitation has been confirmed at the time of analysis.
Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. Only instances with the sqlExpressions feature toggle enabled are vulnerable, though Grafana recommends all users update to prevent future exploitation paths using this attack vector. No public exploit identified at time of analysis, and authentication as a high-privilege user is required per CVSS vector.
Grafana Tempo leaks S3 SSE-C encryption keys in plaintext through its /status/config endpoint, enabling unauthenticated remote attackers to retrieve encryption keys protecting trace data stored in AWS S3. The CVSS score of 7.5 reflects high confidentiality impact with network-accessible attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, though the attack path is straightforward given the information disclosure nature of the vulnerability.
Grafana OSS provisioning contact points API fails to enforce the alert.notifications.receivers.protected:write permission, allowing users with the Editor role to modify protected webhook URLs and bypass intended authorization controls. This affects Grafana OSS versions 11.6.9 through 11.6.14, 12.1.5 through 12.1.10, 12.2.2 through 12.2.8, and 12.3.1 through 12.3.6. Authenticated Editor-level users can exploit this to reconfigure webhook destinations, potentially redirecting alert notifications to attacker-controlled endpoints. No public exploit identified at time of analysis.
Grafana MSSQL data source plugin versions across multiple release branches contain a logic flaw enabling low-privileged Viewer users to bypass API restrictions and trigger catastrophic out-of-memory exhaustion, resulting in host container denial of service. The vulnerability affects Grafana OSS versions 11.6.0 through 12.4.0 across multiple patch branches (11.6.14+security-01, 12.1.10+security-01, 12.2.8+security-01, 12.3.6+security-01, and 12.4.2 or later) and requires only network access and valid low-privileged credentials to exploit; no public exploit code or active exploitation has been confirmed at time of analysis.
Grafana Cubism Panel versions 0.1.2 and earlier contain a stored cross-site scripting (XSS) vulnerability where dashboard editors can inject malicious javascript: URIs into zoom-link handlers that execute with Grafana origin privileges when viewers interact with the panel. An authenticated attacker with editor permissions can craft a malicious dashboard that executes arbitrary JavaScript in the context of any user who zooms on the affected panel, potentially compromising sensitive data or session tokens.
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. [CVSS 2.6 LOW]
Grafana public dashboards with annotations enabled fail to enforce the dashboard's locked timerange restriction on annotation queries, allowing unauthenticated attackers to retrieve the complete annotation history beyond the intended viewing window. This information disclosure affects any organization exposing public dashboards with annotations, though only annotations already visible on the dashboard are accessible. No patch is currently available for this vulnerability.
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. [CVSS 6.8 MEDIUM]
Grafana is vulnerable to denial of service through resource exhaustion when processing uncached avatar requests with random hashes. Sustained requests cause goroutines to accumulate indefinitely due to timeout handling issues, eventually consuming all available memory and crashing the application. An unauthenticated remote attacker can exploit this vulnerability without user interaction to render affected Grafana instances unavailable.
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance,. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance,. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
CVE-2025-3260 is an authorization bypass vulnerability in Grafana's dashboard API endpoints (/apis/dashboard.grafana.app/*) that allows authenticated users to circumvent dashboard and folder permission controls across all API versions (v0alpha1, v1alpha1, v2alpha1). Affected users with viewer or editor roles can access, modify, or delete dashboards and folders they should not have permission to interact with, while organization isolation boundaries and datasource access controls remain unaffected. With a CVSS score of 8.3 and requiring only low-privilege authentication, this represents a significant risk to multi-tenant Grafana deployments and requires immediate patching.
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Tempo Operator incorrectly grants cluster-monitoring-view ClusterRole permissions to Tempo service accounts when Jaeger UI Monitor Tab is enabled, allowing authenticated users with TempoStack creation and Secret read permissions in a namespace to extract the service account token and gain unauthorized access to all cluster metrics. The vulnerability affects Grafana Tempo Operator and carries a CVSS score of 4.3 with low EPSS exploitation probability (0.21%, 44th percentile), indicating limited real-world attack likelihood despite the information disclosure impact. No public exploit code or active exploitation has been confirmed at time of analysis.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Grafana versions prior to patching are vulnerable to denial-of-service attacks via maliciously crafted resample queries that exhaust server memory and trigger out-of-memory crashes. Authenticated users with query execution privileges can exploit this low-complexity remote vulnerability to disrupt service availability. No public exploit code or confirmed active exploitation has been identified at the time of analysis, though the attack surface is broad given Grafana's widespread deployment in monitoring infrastructure.
Grafana's testdata data-source plugin allows authenticated users to trigger out-of-memory (OOM) crashes, causing a denial of service affecting availability. The vulnerability requires low-privilege user authentication and network access to the affected Grafana instance, enabling local or remote attackers with valid credentials to exhaust server memory resources without user interaction. No public exploit code or active exploitation has been confirmed at the time of analysis.
Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. Only instances with the sqlExpressions feature toggle enabled are vulnerable, though Grafana recommends all users update to prevent future exploitation paths using this attack vector. No public exploit identified at time of analysis, and authentication as a high-privilege user is required per CVSS vector.
Grafana Tempo leaks S3 SSE-C encryption keys in plaintext through its /status/config endpoint, enabling unauthenticated remote attackers to retrieve encryption keys protecting trace data stored in AWS S3. The CVSS score of 7.5 reflects high confidentiality impact with network-accessible attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, though the attack path is straightforward given the information disclosure nature of the vulnerability.
Grafana OSS provisioning contact points API fails to enforce the alert.notifications.receivers.protected:write permission, allowing users with the Editor role to modify protected webhook URLs and bypass intended authorization controls. This affects Grafana OSS versions 11.6.9 through 11.6.14, 12.1.5 through 12.1.10, 12.2.2 through 12.2.8, and 12.3.1 through 12.3.6. Authenticated Editor-level users can exploit this to reconfigure webhook destinations, potentially redirecting alert notifications to attacker-controlled endpoints. No public exploit identified at time of analysis.
Grafana MSSQL data source plugin versions across multiple release branches contain a logic flaw enabling low-privileged Viewer users to bypass API restrictions and trigger catastrophic out-of-memory exhaustion, resulting in host container denial of service. The vulnerability affects Grafana OSS versions 11.6.0 through 12.4.0 across multiple patch branches (11.6.14+security-01, 12.1.10+security-01, 12.2.8+security-01, 12.3.6+security-01, and 12.4.2 or later) and requires only network access and valid low-privileged credentials to exploit; no public exploit code or active exploitation has been confirmed at time of analysis.
Grafana Cubism Panel versions 0.1.2 and earlier contain a stored cross-site scripting (XSS) vulnerability where dashboard editors can inject malicious javascript: URIs into zoom-link handlers that execute with Grafana origin privileges when viewers interact with the panel. An authenticated attacker with editor permissions can craft a malicious dashboard that executes arbitrary JavaScript in the context of any user who zooms on the affected panel, potentially compromising sensitive data or session tokens.
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. [CVSS 2.6 LOW]
Grafana public dashboards with annotations enabled fail to enforce the dashboard's locked timerange restriction on annotation queries, allowing unauthenticated attackers to retrieve the complete annotation history beyond the intended viewing window. This information disclosure affects any organization exposing public dashboards with annotations, though only annotations already visible on the dashboard are accessible. No patch is currently available for this vulnerability.
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. [CVSS 6.8 MEDIUM]
Grafana is vulnerable to denial of service through resource exhaustion when processing uncached avatar requests with random hashes. Sustained requests cause goroutines to accumulate indefinitely due to timeout handling issues, eventually consuming all available memory and crashing the application. An unauthenticated remote attacker can exploit this vulnerability without user interaction to render affected Grafana instances unavailable.
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance,. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance,. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
CVE-2025-3260 is an authorization bypass vulnerability in Grafana's dashboard API endpoints (/apis/dashboard.grafana.app/*) that allows authenticated users to circumvent dashboard and folder permission controls across all API versions (v0alpha1, v1alpha1, v2alpha1). Affected users with viewer or editor roles can access, modify, or delete dashboards and folders they should not have permission to interact with, while organization isolation boundaries and datasource access controls remain unaffected. With a CVSS score of 8.3 and requiring only low-privilege authentication, this represents a significant risk to multi-tenant Grafana deployments and requires immediate patching.
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Tempo Operator incorrectly grants cluster-monitoring-view ClusterRole permissions to Tempo service accounts when Jaeger UI Monitor Tab is enabled, allowing authenticated users with TempoStack creation and Secret read permissions in a namespace to extract the service account token and gain unauthorized access to all cluster metrics. The vulnerability affects Grafana Tempo Operator and carries a CVSS score of 4.3 with low EPSS exploitation probability (0.21%, 44th percentile), indicating limited real-world attack likelihood despite the information disclosure impact. No public exploit code or active exploitation has been confirmed at time of analysis.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.