CVE-2021-39226
published 2021-10-05CVE-2021-39226: Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the…
PriorityP189high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-09-15
Exploited in the wild
EPSS
99.89%
100.0th percentile
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | grafana_grafana | >= 0 < 7.5.11 | 7.5.11 |
| github.com | grafana_grafana | >= 8.0.0 < 8.1.6 | 8.1.6 |
| grafana | grafana | < 7.5.11 | 7.5.11 |
| grafana | grafana | — | — |
| grafana | grafana | >= 8.0.0 < 8.1.6 | 8.1.6 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Snapshot Authentication Bypass (CVE-2021-39226)"; flow:established,to_server; http.uri; content:"|2f 3a|key"; fast_pattern; endswith; pcre:"/^\x2f(?:api|dashboard)\x2fsnapshots?\x2f\x3akey$/U"; reference:url,github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9; reference:cve,2021-39226; classtype:web-application-attack; sid:2061338; rev:1; metadata:affected_product Grafana, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_07, cve CVE_2021_39226, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →HTTP GET request to the literal path /api/snapshots/:key (with the literal string ':key') triggers the auth bypass — the server returns HTTP 200 with the body containing '"isSnapshot":true'
- →The exploit uses the literal string ':key' (not a real key value) in the URI path — the Snort PCRE pattern matches the exact literal path ending in '/:key' or '/:key' for both /api/snapshots/ and /dashboard/snapshot/ prefixes
- →Shodan/FOFA queries can be used to identify exposed Grafana instances as targets: search for title:"Grafana" or http.title:"grafana"
- →The combination of viewing (GET /api/snapshots/:key) and deletion (DELETE /api/snapshots/:key or GET /api/snapshots-delete/:deleteKey) in sequence indicates active exploitation — monitor for repeated sequential access to these literal paths ↗
- ·The unauthenticated snapshot deletion path (/api/snapshots-delete/:deleteKey) is only exploitable when the 'public_mode' configuration setting is set to true; the default is false, which limits unauthenticated deletion but NOT unauthenticated viewing ↗
- ·Authenticated users can delete snapshots via /api/snapshots/:key or /api/snapshots-delete/:deleteKey regardless of the public_mode setting — authentication alone does not prevent abuse ↗
- ·In OpenShift-based deployments (OCP, RHACM, OSSM), Grafana is protected by OpenShift OAuth, which reduces exploitability; additionally, snapshots by default do not contain sensitive data in those environments ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa7.3HIGH
osv7.3HIGH
vulncheck9.8CRITICAL
cisa7.3HIGH
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Grafana Authentication Bypass Vulnerability
cisa·2022-08-25·CVSS 7.3
CVE-2021-39226 [HIGH] CWE-287 Grafana Authentication Bypass Vulnerability
Vulnerability: Grafana Authentication Bypass Vulnerability
Affected: Grafana Labs Grafana
Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss.
Required Action: Apply updates per vendor instructions.
Notes: https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/; https://nvd.nist.gov/vuln/detail/CVE-2021-39226
Remediation Due Date: 2022-09-15
Red Hat
grafana: Snapshot authentication bypass
vendor_redhat·2021-10-05·CVSS 9.8
CVE-2021-39226 [CRITICAL] CWE-639 grafana: Snapshot authentication bypass
grafana: Snapshot authentication bypass
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing ena
OSV
Authentication bypass for viewing and deletions of snapshots
osv·2021-10-05·CVSS 7.3
CVE-2021-39226 [HIGH] Authentication bypass for viewing and deletions of snapshots
Authentication bypass for viewing and deletions of snapshots
Today we are releasing Grafana 7.5.11, and 8.1.6. These patch releases include an important security fix for an issue that affects all Grafana versions from 2.0.1.
[Grafana Cloud](https://grafana.com/cloud) instances have already been patched and an audit did not find any usage of this attack vector. [Grafana Enterprise](https://grafana.com/products/enterprise) customers were provided with updated binaries under embargo.
8.1.5 contained a single fix for bar chart panels. We believe that users can expedite deployment by moving from 8.1.4 to 8.1.6 directly.
## CVE-2021-39226 Snapshot authentication bypass
### Summary
CVSS Score: 9.8 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
We received a security report to [secur
GHSA
Authentication bypass for viewing and deletions of snapshots
ghsa·2021-10-05·CVSS 7.3
CVE-2021-39226 [HIGH] CWE-287 Authentication bypass for viewing and deletions of snapshots
Authentication bypass for viewing and deletions of snapshots
Today we are releasing Grafana 7.5.11, and 8.1.6. These patch releases include an important security fix for an issue that affects all Grafana versions from 2.0.1.
[Grafana Cloud](https://grafana.com/cloud) instances have already been patched and an audit did not find any usage of this attack vector. [Grafana Enterprise](https://grafana.com/products/enterprise) customers were provided with updated binaries under embargo.
8.1.5 contained a single fix for bar chart panels. We believe that users can expedite deployment by moving from 8.1.4 to 8.1.6 directly.
## CVE-2021-39226 Snapshot authentication bypass
### Summary
CVSS Score: 9.8 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
We received a security report to [secur
OSV
CVE-2021-39226: Grafana is an open source data visualization platform
osv·2021-10-05·CVSS 7.3
CVE-2021-39226 [HIGH] CVE-2021-39226: Grafana is an open source data visualization platform
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot
VulnCheck
Grafana Authentication Bypass Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-39226 [CRITICAL] CWE-287 Grafana Authentication Bypass Vulnerability
Grafana Authentication Bypass Vulnerability
Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss.
Affected: Grafana Labs Grafana
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2021-39226; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2021-39226; https://das
Suricata
ET WEB_SPECIFIC_APPS Grafana Snapshot Authentication Bypass (CVE-2021-39226)
suricata·2025-04-07·CVSS 9.8
CVE-2021-39226 [CRITICAL] ET WEB_SPECIFIC_APPS Grafana Snapshot Authentication Bypass (CVE-2021-39226)
ET WEB_SPECIFIC_APPS Grafana Snapshot Authentication Bypass (CVE-2021-39226)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Snapshot Authentication Bypass (CVE-2021-39226)"; flow:established,to_server; http.uri; content:"|2f 3a|key"; fast_pattern; endswith; pcre:"/^\x2f(?:api|dashboard)\x2fsnapshots?\x2f\x3akey$/U"; reference:url,github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9; reference:cve,2021-39226; classtype:web-application-attack; sid:2061338; rev:1; metadata:affected_product Grafana, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_07, cve CVE_2021_39226, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_07, mitre_tactic
Nuclei
Grafana Snapshot - Authentication Bypass
nuclei·CVSS 7.3
CVE-2021-39226 [HIGH] Grafana Snapshot - Authentication Bypass
Grafana Snapshot - Authentication Bypass
Grafana instances up to 7.5.11 and 8.1.5 allow remote unauthenticated users to view the snapshot associated with the lowest database key by accessing the literal paths /api/snapshot/:key or /dashboard/snapshot/:key. If the snapshot is in public mode, unauthenticated users can delete snapshots by accessing the endpoint /api/snapshots-delete/:deleteKey. Authenticated users can also delete snapshots by accessing the endpoints /api/snapshots-delete/:deleteKey, or sending a delete request to /api/snapshot/:key, regardless of whether or not the snapshot is set to public mode (disabled by default).
Template:
id: CVE-2021-39226
info:
name: Grafana Snapshot - Authentication Bypass
author: Evan Rubinstein,matejsmycka
severity: high
description: Grafana in
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19·CVSS 8.8
CVE-2021-20166 [HIGH] Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Yue Guan
Published: August 19, 2022
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-20166
CVE-2021-20167
CVE-2021-21881
CVE-2021-24762
CVE-2021-28169
CVE-2021-31589
CVE-2021-39226
CVE-2021-4045
CVE-2021-43711
CVE-2022-21371
CVE-2022-21662
CVE-2022-22536
CVE-2022-22947
CVE-2022-22954
CVE-2022-22963
CVE-2022-22965
CVE-2022-24112
CVE-2022-24260
CVE-2022-25060
CVE-2022-25075
CVE-2022-25134
CVE-2022-27226
CVE-2022-29464
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use of newly published remote code execution vulnerabilities in VMware ONE Access and Identity Manager and Spring Cloud Function, Spring MVC and Spring Web Flux, among others. Attackers have also been taking advantage of a cross-site scripting vulnerability in WordPress core, and SQL injection vulnerabilities in VoIPmonitor GUI and other services. In our observations of network security trends, Unit 42 researchers select exploits of the latest published attacks that defenders should know based on the availability of proofs of concept (PoCs), the severity of the vulnerabilities the exploits are based on and the ease of exploitation.
Other insights that could assist defenders includ
HackerOne
CVE-2021-39226 Discovered on endpoint https://██████/api/snapshots
hackerone·2024-06-18·CVSS 9.8
CVE-2021-39226 [CRITICAL] CVE-2021-39226 Discovered on endpoint https://██████/api/snapshots
CVE-2021-39226 Discovered on endpoint https://██████/api/snapshots
**Description:**
CVE-2021-39226 Discovered on endpoint https://███████/api/snapshots/:key where this issue poses a significant risk to the confidentiality and integrity of snapshot data, allowing both authenticated and unauthenticated users unauthorized access and deletion capabilities.
## References
https://nvd.nist.gov/vuln/detail/CVE-2021-39226
## Impact
"In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest databa
http://www.openwall.com/lists/oss-security/2021/10/05/4https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/https://security.netapp.com/advisory/ntap-20211029-0008/http://www.openwall.com/lists/oss-security/2021/10/05/4https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/https://security.netapp.com/advisory/ntap-20211029-0008/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226
2021-10-05
Published
2022-08-25
Added to CISA KEV
Exploited in the wild