CVE-2025-3260
published 2025-06-02CVE-2025-3260: A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The…
PriorityP351high8.3CVSS 3.1
AVNACLPRLUINSUCHIHAL
EPSS
0.48%
38.0th percentile
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).
Impact:
- Viewers can view all dashboards/folders regardless of permissions
- Editors can view/edit/delete all dashboards/folders regardless of permissions
- Editors can create dashboards in any folder regardless of permissions
- Anonymous users with viewer/editor roles are similarly affected
Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0.0.0-20250114093457-36d6fad421fb < 0.0.0-20250521183405-c7a690348df7 | 0.0.0-20250521183405-c7a690348df7 |
| github.com | grafana_grafana | >= 0.0.0-20250114093457-36d6fad421fb | — |
| grafana | grafana | >= 11.6.0 < 11.6.1+security-01 | 11.6.1+security-01 |
CVSS provenance
nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
osv8.3HIGH
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana
osv·2025-06-09
CVE-2025-3260 Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v0.0.0-20250521183405-c7a690348df7.
OSV
CVE-2025-3260: A security vulnerability in the /apis/dashboard
osv·2025-06-02·CVSS 8.3
CVE-2025-3260 [HIGH] CVE-2025-3260: A security vulnerability in the /apis/dashboard
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
OSV
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions
osv·2025-06-02
CVE-2025-3260 [HIGH] Grafana vulnerable to authenticated users bypassing dashboard, folder permissions
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).
Impact:
- Viewers can view all dashboards/folders regardless of permissions
- Editors can view/edit/delete all dashboards/folders regardless of permissions
- Editors can create dashboards in any folder regardless of permissions
- Anonymous users with viewer/editor roles are similarly affected
Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
GHSA
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions
ghsa·2025-06-02
CVE-2025-3260 [HIGH] CWE-863 Grafana vulnerable to authenticated users bypassing dashboard, folder permissions
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).
Impact:
- Viewers can view all dashboards/folders regardless of permissions
- Editors can view/edit/delete all dashboards/folders regardless of permissions
- Editors can create dashboards in any folder regardless of permissions
- Anonymous users with viewer/editor roles are similarly affected
Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
Red Hat
grafana: Unauthorized Dashboard Access in Grafana
vendor_redhat·2025-04-25·CVSS 8.3
CVE-2025-3260 [HIGH] CWE-281 grafana: Unauthorized Dashboard Access in Grafana
grafana: Unauthorized Dashboard Access in Grafana
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).
Impact:
- Viewers can view all dashboards/folders regardless of permissions
- Editors can view/edit/delete all dashboards/folders regardless of permissions
- Editors can create dashboards in any folder regardless of permissions
- Anonymous users with viewer/editor roles are similarly affected
Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
A flaw was found in Grafana. This vulnerability allows users with Viewer or Editor roles to acces
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-02
Published