CVE-2026-21722 — Sensitive Information Exposure in Grafana

CWE-200 — Sensitive Information Exposure CWE-863 — Incorrect Authorization6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 97.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Grafana Grafana Grafana Grafana-enterprise Grafana

Timeline

PublishedFeb 12

Description

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDgrafana/grafana9.3.0 — 11.6.10+7

▶CVEListV5grafana/grafana_grafana9.3.0 — 11.6.10+security-01+3

▶CVEListV5grafana/grafana_grafana-enterprise9.3.0 — 11.6.10+security-01+3

🔴Vulnerability Details

GHSA

GHSA-3f33-44xm-29m7: Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard↗2026-02-12

▶

OSV

CVE-2026-21722: Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard↗2026-02-12

▶

CVEList

Public Dashboards time range restriction on annotations can be bypassed↗2026-02-12

▶

📋Vendor Advisories

Red Hat

grafana: Public Dashboards time range restriction on annotations can be bypassed↗2026-02-12

▶

🕵️Threat Intelligence

Wiz

CVE-2026-21722 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶