cbcvebase.
CVE-2026-21724
published 2026-03-26

CVE-2026-21724: A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify…

PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.24%
14.8th percentile
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Affected

9 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 0 < 1.9.2-0.20260323180334-daffe750de851.9.2-0.20260323180334-daffe750de85
grafanagrafana>= 11.6.9 < 11.6.1411.6.14
grafanagrafana>= 12.1.5 < 12.1.1012.1.10
grafanagrafana>= 12.2.2 < 12.2.812.2.8
grafanagrafana>= 12.3.1 < 12.3.612.3.6
grafanagrafana_oss>= 11.6.9 < 11.6.1411.6.14
grafanagrafana_oss>= 12.1.5 < 12.1.1012.1.10
grafanagrafana_oss>= 12.2.2 < 12.2.812.2.8
grafanagrafana_oss>= 12.3.1 < 12.3.612.3.6

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
osv5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.