CVE-2026-21724
published 2026-03-26CVE-2026-21724: A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.24%
14.8th percentile
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 1.9.2-0.20260323180334-daffe750de85 | 1.9.2-0.20260323180334-daffe750de85 |
| grafana | grafana | >= 11.6.9 < 11.6.14 | 11.6.14 |
| grafana | grafana | >= 12.1.5 < 12.1.10 | 12.1.10 |
| grafana | grafana | >= 12.2.2 < 12.2.8 | 12.2.8 |
| grafana | grafana | >= 12.3.1 < 12.3.6 | 12.3.6 |
| grafana | grafana_oss | >= 11.6.9 < 11.6.14 | 11.6.14 |
| grafana | grafana_oss | >= 12.1.5 < 12.1.10 | 12.1.10 |
| grafana | grafana_oss | >= 12.2.2 < 12.2.8 | 12.2.8 |
| grafana | grafana_oss | >= 12.3.1 < 12.3.6 | 12.3.6 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
osv5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions
ghsa·2026-03-26
CVE-2026-21724 [MEDIUM] CWE-285 Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions
Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
A patched version is available at https://github.com/grafana/grafana/releases/tag/v12.3.6.
GHSA
GHSA-7g92-g4vh-hp84: A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role
ghsa_unreviewed·2026-03-26
CVE-2026-21724 [MEDIUM] CWE-285 GHSA-7g92-g4vh-hp84: A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
OSV
CVE-2026-21724: A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role
osv·2026-03-26·CVSS 5.4
CVE-2026-21724 [MEDIUM] CVE-2026-21724: A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Red Hat
Grafana OSS: Grafana OSS: Authorization bypass allows modification of protected webhook URLs
vendor_redhat·2026-03-26·CVSS 5.4
CVE-2026-21724 [MEDIUM] CWE-266 Grafana OSS: Grafana OSS: Authorization bypass allows modification of protected webhook URLs
Grafana OSS: Grafana OSS: Authorization bypass allows modification of protected webhook URLs
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
A flaw was found in Grafana OSS. An authorization bypass vulnerability in the provisioning contact points API allows users with an Editor role to modify protected webhook URLs. This can lead to unauthorized changes to notification configurations, potentially resulting in information disclosure or integrity issues.
Package: grafana (Red Hat Enterprise Linux 10) - Not affected
Package: grafana (Red Hat Enterprise Linux 8) - Not affected
P
No detection rules found.
No public exploits indexed.
2026-03-26
Published