CVE-2026-21724Improper Authorization in OSS

CWE-285Improper AuthorizationCWE-266Incorrect Privilege Assignment6 documents6 sources
Severity
5.4MEDIUMNVD
EPSS
0.0%
top 91.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Grafana OSS
Timeline
PublishedMar 26

Description

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

CVEListV5grafana/grafana_oss12.3.112.3.6+3

🔴Vulnerability Details

3
GHSA
GHSA-7g92-g4vh-hp84: A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role2026-03-26
OSV
CVE-2026-21724: A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role2026-03-26
CVEList
Missing Protected-field Authorization in Provisioning Contact Points API2026-03-26

📋Vendor Advisories

1
Red Hat
Grafana OSS: Grafana OSS: Authorization bypass allows modification of protected webhook URLs2026-03-26

🕵️Threat Intelligence

1
Wiz
CVE-2026-21724 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-21724 — Improper Authorization in Grafana OSS | cvebase