CVE-2025-3454
published 2025-06-02CVE-2025-3454: This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with…
PriorityP429medium5CVSS 3.1
AVNACLPRLUINSCCLINAN
EPSS
0.41%
33.1th percentile
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.
Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.
The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0.0.0-20210414170620-dadccdda06e6 < 0.0.0-20250424191517-1f707d16ed5d | 0.0.0-20250424191517-1f707d16ed5d |
| github.com | grafana_grafana | >= 0.0.0-20210414170620-dadccdda06e6 | — |
| grafana | grafana | >= 10.4.0 < 10.4.17+security-01 | 10.4.17+security-01 |
| grafana | grafana | >= 11.2.0 < 11.2.8+security-01 | 11.2.8+security-01 |
| grafana | grafana | >= 11.3.0 < 11.3.5+security-01 | 11.3.5+security-01 |
| grafana | grafana | >= 11.4.0 < 11.4.3+security-01 | 11.4.3+security-01 |
| grafana | grafana | >= 11.5.0 < 11.5.3+security-01 | 11.5.3+security-01 |
| grafana | grafana | >= 11.6.0 < 11.6.0+security-01 | 11.6.0+security-01 |
| grafana | grafana_enterprise | >= 10.4.0 < 10.4.17+security-01 | 10.4.17+security-01 |
| grafana | grafana_enterprise | >= 11.2.0 < 11.2.8+security-01 | 11.2.8+security-01 |
| grafana | grafana_enterprise | >= 11.3.0 < 11.3.5+security-01 | 11.3.5+security-01 |
| grafana | grafana_enterprise | >= 11.4.0 < 11.4.3+security-01 | 11.4.3+security-01 |
| grafana | grafana_enterprise | >= 11.5.0 < 11.5.3+security-01 | 11.5.3+security-01 |
| grafana | grafana_enterprise | >= 11.6.0 < 11.6.0+security-01 | 11.6.0+security-01 |
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
osv5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
grafana: Unauthorized Data Source Access in Grafana via URL Path Manipulation
vendor_redhat·2025-04-23·CVSS 5.0
CVE-2025-3454 [MEDIUM] CWE-22 grafana: Unauthorized Data Source Access in Grafana via URL Path Manipulation
grafana: Unauthorized Data Source Access in Grafana via URL Path Manipulation
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.
Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.
The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
A vulnerability was found in Grafana's data source proxy API, which allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alert manager and Prometheus data sources. The
OSV
Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana
osv·2025-06-09
CVE-2025-3454 Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana
Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana
Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v0.0.0-20250424191517-1f707d16ed5d.
OSV
Grafana's datasource proxy API allows authorization checks to be bypassed
osv·2025-06-02
CVE-2025-3454 [MEDIUM] Grafana's datasource proxy API allows authorization checks to be bypassed
Grafana's datasource proxy API allows authorization checks to be bypassed
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.
Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.
The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
OSV
CVE-2025-3454: This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path
osv·2025-06-02·CVSS 5.0
CVE-2025-3454 [MEDIUM] CVE-2025-3454: This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
GHSA
Grafana's datasource proxy API allows authorization checks to be bypassed
ghsa·2025-06-02
CVE-2025-3454 [MEDIUM] CWE-285 Grafana's datasource proxy API allows authorization checks to be bypassed
Grafana's datasource proxy API allows authorization checks to be bypassed
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.
Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.
The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-02
Published