CVE-2025-3415
published 2025-07-17CVE-2025-3415: Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed…
PriorityP276medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.89%
54.9th percentile
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 1.9.2-0.20250514160932-04111e9f2afd | 1.9.2-0.20250514160932-04111e9f2afd |
| grafana | grafana | >= 10.4.x < 10.4.19+security-01 | 10.4.19+security-01 |
| grafana | grafana | >= 11.2.x < 11.2.10+security-01 | 11.2.10+security-01 |
| grafana | grafana | >= 11.3.x < 11.3.7+security-01 | 11.3.7+security-01 |
| grafana | grafana | >= 11.4.x < 11.4.5+security-01 | 11.4.5+security-01 |
| grafana | grafana | >= 11.5.x < 11.5.5+security-01 | 11.5.5+security-01 |
| grafana | grafana | >= 11.6.x < 11.6.2+security-01 | 11.6.2+security-01 |
| grafana | grafana | >= 12.0.x < 12.0.1+security-01 | 12.0.1+security-01 |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /api/alertmanager/grafana/config/api/v1/alerts HTTP/1.1
other(?i)https?://oapi\.dingtalk\.com/robot/send\?access_token=[^&"\s]+
yara
contains_all(body, "dingtalk.com","dingding-context") AND contains(content_type, "application/json") AND status_code == 200
- →Send an unauthenticated or Viewer-authenticated GET request to /api/alertmanager/grafana/config/api/v1/alerts; a vulnerable Grafana instance will return HTTP 200 JSON containing both 'dingtalk.com' and 'dingding-context' strings, exposing the DingDing webhook URL with access token in plaintext.
- →Extract leaked DingDing webhook URLs matching the pattern https://oapi.dingtalk.com/robot/send?access_token=<TOKEN> from the alertmanager config API response body.
- →Shodan/FOFA asset discovery: search for Grafana instances using http.title:"grafana" or title="grafana" to identify potentially exposed targets.
- →The vulnerability allows Viewer-role users to access sensitive webhook URLs including API tokens through the alertmanager API without elevated privileges, due to misconfigured access control on the DingDing contact-point integration. ↗
- ·Exploitation requires the DingDing/DingTalk alerting integration to be explicitly configured in Grafana Alerting; instances without this integration configured are not affected. ↗
- ·Affected Grafana versions are those at or below 12.0.1 (and below 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01); fixed versions properly restrict access to DingDing integration settings. ↗
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
osv4.3MEDIUM
vulncheck4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana
osv·2025-07-29
CVE-2025-3415 Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana
Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana
Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v1.9.2-0.20250514160932-04111e9f2afd.
OSV
Grafana's insecure DingDing Alert integration exposes sensitive information
osv·2025-07-17
CVE-2025-3415 [MEDIUM] Grafana's insecure DingDing Alert integration exposes sensitive information
Grafana's insecure DingDing Alert integration exposes sensitive information
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01.
OSV
CVE-2025-3415: Grafana is an open-source platform for monitoring and observability
osv·2025-07-17·CVSS 4.3
CVE-2025-3415 [MEDIUM] CVE-2025-3415: Grafana is an open-source platform for monitoring and observability
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
GHSA
Grafana's insecure DingDing Alert integration exposes sensitive information
ghsa·2025-07-17
CVE-2025-3415 [MEDIUM] CWE-200 Grafana's insecure DingDing Alert integration exposes sensitive information
Grafana's insecure DingDing Alert integration exposes sensitive information
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01.
VulnCheck
Grafana Labs Grafana Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2025·CVSS 4.3
CVE-2025-3415 [MEDIUM] Grafana Labs Grafana Exposure of Sensitive Information to an Unauthorized Actor
Grafana Labs Grafana Exposure of Sensitive Information to an Unauthorized Actor
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
Affected: Grafana Labs Grafana
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-07&host_type=src&vulnerability=cve-2025-3415; https://dashboard.
Red Hat
grafana: Exposure of DingDing alerting integration URL to Viewer level users
vendor_redhat·2025-06-24·CVSS 4.3
CVE-2025-3415 [MEDIUM] CWE-200 grafana: Exposure of DingDing alerting integration URL to Viewer level users
grafana: Exposure of DingDing alerting integration URL to Viewer level users
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
A flaw exists in Grafana Alerting, where the DingDing contact-point integration URL can be revealed in plain text to users with viewer-level permissions due to misconfigured access control. This disclosure permits unauthorized users to view sensitive webhook URLs, including API tokens or keys, without needing elevated privileges.
Statement: The Grafana development
No detection rules found.
Nuclei
Grafana - Exposes DingDing API Keys
nuclei·CVSS 4.3
CVE-2025-3415 [MEDIUM] Grafana - Exposes DingDing API Keys
Grafana - Exposes DingDing API Keys
An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight in versions below or equals to 12.0.1.
Template:
id: CVE-2025-3415
info:
name: Grafana - Exposes DingDing API Keys
author: lucasribolli
severity: medium
description: |
An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight in versions below or equals to 12.0.1.
impact: |
Viewers can access DingDing alerting integration URLs containing access tokens through the alertmanager API, potentially enabling unauthorized message delivery and notification manipulation.
remediation: |
Upgrade to Grafana version 12.0.2 or later that properly restricts access to Di
2025-07-17
Published
Exploited in the wild