Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-3415Sensitive Information Exposure in Grafana

CWE-200Sensitive Information Exposure9 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.3%
top 43.96%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
GrafanaGithub.com Grafana Grafana
Timeline
PublishedJul 17
Latest updateJul 29

Description

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5grafana/grafana10.4.x10.4.19+security-01+6
Gogithub.com/grafana_grafana< 1.9.2-0.20250514160932-04111e9f2afd

🔴Vulnerability Details

6
OSV
Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana2025-07-29
OSV
Grafana's insecure DingDing Alert integration exposes sensitive information2025-07-17
OSV
CVE-2025-3415: Grafana is an open-source platform for monitoring and observability2025-07-17
CVEList
CVE-2025-3415: Grafana is an open-source platform for monitoring and observability2025-07-17
GHSA
Grafana's insecure DingDing Alert integration exposes sensitive information2025-07-17

💥Exploits & PoCs

1
Nuclei
Grafana - Exposes DingDing API Keys

📋Vendor Advisories

1
Red Hat
grafana: Exposure of DingDing alerting integration URL to Viewer level users2025-06-24
CVE-2025-3415 — Sensitive Information Exposure | cvebase