⚠ Actively exploited

Added to CISA KEV on 2022-08-25. Federal agencies required to patch by 2022-09-15. Required action: Apply updates per vendor instructions..

CVE-2021-39226 — Improper Authentication in Grafana

CWE-287 — Improper Authentication CWE-862 — Missing Authorization CWE-639 — Authorization Bypass Through User-Controlled Key12 documents11 sources

Severity

7.3HIGHNVD

CNA9.8VulnCheck9.8

EPSS

94.3%

top 0.04%

CISA KEV

KEV

Added 2022-08-25

Due 2022-09-15

Exploit

Exploited in wild

Active exploitation observed

Affected products

Grafana Github.com Grafana Grafana Fedoraproject Fedora

Timeline

PublishedOct 5

KEV addedAug 25

KEV dueSep 15

Latest updateApr 7

CISA Required Action: Apply updates per vendor instructions.

Description

Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regar…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages3 packages

▶CVEListV5grafana/grafana< 7.5.11+1

▶NVDgrafana/grafana8.0.0 — 8.1.6+1

▶Gogithub.com/grafana_grafana8.0.0 — 8.1.6+1

Also affects: Fedora 34, 35

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Authentication bypass for viewing and deletions of snapshots↗2021-10-05

▶

GHSA

Authentication bypass for viewing and deletions of snapshots↗2021-10-05

▶

OSV

CVE-2021-39226: Grafana is an open source data visualization platform↗2021-10-05

▶

CVEList

Snapshot authentication bypass in grafana↗2021-10-05

▶

VulnCheck

Grafana Authentication Bypass Vulnerability↗2021

▶

💥Exploits & PoCs

Nuclei

Grafana Snapshot - Authentication Bypass

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Grafana Snapshot Authentication Bypass (CVE-2021-39226)↗2025-04-07

▶

📋Vendor Advisories

CISA

Grafana Authentication Bypass Vulnerability↗2022-08-25

▶

Red Hat

grafana: Snapshot authentication bypass↗2021-10-05

▶

🕵️Threat Intelligence

Unit42

Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More↗2022-08-19

▶

💬Community

HackerOne

CVE-2021-39226 Discovered on endpoint https://██████/api/snapshots↗2024-06-18

▶