CVE-2025-3260Incorrect Authorization in Grafana

CWE-863Incorrect AuthorizationCWE-281Improper Preservation of Permissions7 documents5 sources
Severity
8.3HIGHNVD
EPSS
0.1%
top 75.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GrafanaGithub.com Grafana Grafana
Timeline
PublishedJun 2
Latest updateJun 9

Description

A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are si

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:LExploitability: 2.8 | Impact: 5.5

Affected Packages2 packages

CVEListV5grafana/grafana11.6.011.6.1+security-01
Gogithub.com/grafana_grafana0.0.0-20250114093457-36d6fad421fb0.0.0-20250521183405-c7a690348df7+1

🔴Vulnerability Details

5
OSV
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana2025-06-09
CVEList
CVE-2025-3260: A security vulnerability in the /apis/dashboard2025-06-02
OSV
CVE-2025-3260: A security vulnerability in the /apis/dashboard2025-06-02
OSV
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions2025-06-02
GHSA
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions2025-06-02

📋Vendor Advisories

1
Red Hat
grafana: Unauthorized Dashboard Access in Grafana2025-04-25
CVE-2025-3260 — Incorrect Authorization in Grafana | cvebase