cbcvebase.
CVE-2026-21722
published 2026-02-12

CVE-2026-21722: Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read…

PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.33%
24.4th percentile
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.

Affected

16 ranges
VendorProductVersion rangeFixed in
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana>= 12.0.0 < 12.1.612.1.6
grafanagrafana12.2.0 – 12.2.4
grafanagrafana12.3.0 – 12.3.2
grafanagrafana>= 9.3.0 < 11.6.1011.6.10
grafanagrafana_grafana>= 12.0.0 < 12.1.6+security-0112.1.6+security-01
grafanagrafana_grafana>= 12.2.0 < 12.2.4+security-0112.2.4+security-01
grafanagrafana_grafana>= 12.3.0 < 12.3.2+security-0112.3.2+security-01
grafanagrafana_grafana>= 9.3.0 < 11.6.10+security-0111.6.10+security-01
grafanagrafana_grafana-enterprise>= 12.0.0 < 12.1.6+security-0112.1.6+security-01
grafanagrafana_grafana-enterprise>= 12.2.0 < 12.2.4+security-0112.2.4+security-01
grafanagrafana_grafana-enterprise>= 12.3.0 < 12.3.2+security-0112.3.2+security-01
grafanagrafana_grafana-enterprise>= 9.3.0 < 11.6.10+security-0111.6.10+security-01

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
osv5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.