Skip to main content

Grafana Mcp Server

1 CVEs product

Monthly

CVE-2026-15583 HIGH This Week

Server-side request forgery and credential theft in Grafana MCP Server lets an unauthenticated remote attacker steal the server's environment-configured Grafana service-account token by sending a crafted X-Grafana-URL request header, and pivot to reach arbitrary internal services including cloud metadata endpoints. The token grants the attacker the MCP server's full Grafana privileges, and the SSRF primitive exposes internal infrastructure behind the network perimeter. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed) rating and unauthenticated network vector make this a high-priority fix.

Grafana SSRF Grafana Mcp Server
NVD VulDB
CVSS 3.1
8.6
EPSS
0.3%
EPSS 0% CVSS 8.6
HIGH This Week

Server-side request forgery and credential theft in Grafana MCP Server lets an unauthenticated remote attacker steal the server's environment-configured Grafana service-account token by sending a crafted X-Grafana-URL request header, and pivot to reach arbitrary internal services including cloud metadata endpoints. The token grants the attacker the MCP server's full Grafana privileges, and the SSRF primitive exposes internal infrastructure behind the network perimeter. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed) rating and unauthenticated network vector make this a high-priority fix.

Grafana SSRF Grafana Mcp Server
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy