CVE-2026-21721
published 2026-01-27CVE-2026-21721: The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has…
PriorityP348high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.65%
46.4th percentile
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | >= 10.2.0 < 11.6.9 | 11.6.9 |
| grafana | grafana | >= 12.0.0 < 12.0.8 | 12.0.8 |
| grafana | grafana | >= 12.1.0 < 12.1.5 | 12.1.5 |
| grafana | grafana | >= 12.2.0 < 12.2.3 | 12.2.3 |
| grafana | grafana_grafana | >= 10.2.0 < 11.6.9 | 11.6.9 |
| grafana | grafana_grafana | >= 12.0.0 < 12.0.8 | 12.0.8 |
| grafana | grafana_grafana | >= 12.1.0 < 12.1.5 | 12.1.5 |
| grafana | grafana_grafana | >= 12.2.0 < 12.2.3 | 12.2.3 |
| grafana | grafana_grafana | >= 12.3.0 < 12.3.1 | 12.3.1 |
| grafana | grafana_grafana-enterprise | >= 10.2.0 < 11.6.9 | 11.6.9 |
| grafana | grafana_grafana-enterprise | >= 12.0.0 < 12.0.8 | 12.0.8 |
| grafana | grafana_grafana-enterprise | >= 12.1.0 < 12.1.5 | 12.1.5 |
| grafana | grafana_grafana-enterprise | >= 12.2.0 < 12.2.3 | 12.2.3 |
| grafana | grafana_grafana-enterprise | >= 12.3.0 < 12.3.1 | 12.3.1 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
osv8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Grafana up to 12.3.0 Dashboard Permissions API permission (Nessus ID 297049 / WID-SEC-2026-0224)
vuldb·2026-07-01·CVSS 8.1
CVE-2026-21721 [HIGH] Grafana up to 12.3.0 Dashboard Permissions API permission (Nessus ID 297049 / WID-SEC-2026-0224)
A vulnerability described as critical has been identified in Grafana up to 11.6.8/12.0.7/12.1.4/12.2.2/12.3.0. Affected by this issue is some unknown functionality of the component Dashboard Permissions API. Executing a manipulation can lead to permission issues.
This vulnerability is registered as CVE-2026-21721. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is recommended.
OSV
CVE-2026-21721: The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards
osv·2026-01-27·CVSS 8.1
CVE-2026-21721 [HIGH] CVE-2026-21721: The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
GHSA
GHSA-jgfq-mgxg-4qwm: The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards
ghsa_unreviewed·2026-01-27
CVE-2026-21721 [HIGH] CWE-863 GHSA-jgfq-mgxg-4qwm: The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
Red Hat
grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
vendor_redhat·2026-01-27·CVSS 8.1
CVE-2026-21721 [HIGH] CWE-639 grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
An authorization error has been discovered in Grafana dashboards. The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-21721 grafana: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation [fedora-42]
bugzilla·2026-01-28·CVSS 8.1
CVE-2026-21721 [HIGH] CVE-2026-21721 grafana: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation [fedora-42]
CVE-2026-21721 grafana: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a cur
Bugzilla
CVE-2026-21721 grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
bugzilla·2026-01-27·CVSS 8.1
CVE-2026-21721 [HIGH] CVE-2026-21721 grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
CVE-2026-21721 grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:2914 https://access.redhat.com/errata/RHSA-2026:2914
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:2920 https://access.redhat.com/errata/RHSA-2026:2920
---
This issue has
Wiz
CVE-2026-21721 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-21721 [HIGH] CVE-2026-21721 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21721 :
Grafana vulnerability analysis and mitigation
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
Source : NVD
## 8.1
Score
Published January 27, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Grafana
Rocky Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-prometheus
grafana-fips-11.6
Sources
NVD
AlmaLinux 9 Severity
https://grafana.com/security/security-advisories/cve-2026-21721https://access.redhat.com/errata/RHSA-2026:2914https://access.redhat.com/errata/RHSA-2026:2920https://access.redhat.com/errata/RHSA-2026:3078https://access.redhat.com/errata/RHSA-2026:3529https://access.redhat.com/errata/RHSA-2026:5633https://access.redhat.com/errata/RHSA-2026:8229https://access.redhat.com/security/cve/CVE-2026-21721https://bugzilla.redhat.com/show_bug.cgi?id=2433242https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21721.json
2026-01-27
Published