cbcvebase.
CVE-2021-39226
published 2021-10-05

CVE-2021-39226: Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the…

PriorityP189high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-09-15
Exploited in the wild
EPSS
99.89%
100.0th percentile
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.

Affected

7 ranges
VendorProductVersion rangeFixed in
fedoraprojectfedora
fedoraprojectfedora
github.comgrafana_grafana>= 0 < 7.5.117.5.11
github.comgrafana_grafana>= 8.0.0 < 8.1.68.1.6
grafanagrafana< 7.5.117.5.11
grafanagrafana
grafanagrafana>= 8.0.0 < 8.1.68.1.6

Detection & IOCsextracted from sources · hover to see the quote

path/api/snapshots/:key
path/dashboard/snapshot/:key
path/api/snapshots-delete/:deleteKey
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Snapshot Authentication Bypass (CVE-2021-39226)"; flow:established,to_server; http.uri; content:"|2f 3a|key"; fast_pattern; endswith; pcre:"/^\x2f(?:api|dashboard)\x2fsnapshots?\x2f\x3akey$/U"; reference:url,github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9; reference:cve,2021-39226; classtype:web-application-attack; sid:2061338; rev:1; metadata:affected_product Grafana, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_07, cve CVE_2021_39226, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • HTTP GET request to the literal path /api/snapshots/:key (with the literal string ':key') triggers the auth bypass — the server returns HTTP 200 with the body containing '"isSnapshot":true'
  • The exploit uses the literal string ':key' (not a real key value) in the URI path — the Snort PCRE pattern matches the exact literal path ending in '/:key' or '/:key' for both /api/snapshots/ and /dashboard/snapshot/ prefixes
  • Shodan/FOFA queries can be used to identify exposed Grafana instances as targets: search for title:"Grafana" or http.title:"grafana"
  • The combination of viewing (GET /api/snapshots/:key) and deletion (DELETE /api/snapshots/:key or GET /api/snapshots-delete/:deleteKey) in sequence indicates active exploitation — monitor for repeated sequential access to these literal paths
  • ·The unauthenticated snapshot deletion path (/api/snapshots-delete/:deleteKey) is only exploitable when the 'public_mode' configuration setting is set to true; the default is false, which limits unauthenticated deletion but NOT unauthenticated viewing
  • ·Authenticated users can delete snapshots via /api/snapshots/:key or /api/snapshots-delete/:deleteKey regardless of the public_mode setting — authentication alone does not prevent abuse
  • ·In OpenShift-based deployments (OCP, RHACM, OSSM), Grafana is protected by OpenShift OAuth, which reduces exploitability; additionally, snapshots by default do not contain sensitive data in those environments

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa7.3HIGH
osv7.3HIGH
vulncheck9.8CRITICAL
cisa7.3HIGH
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.