CVE-2026-27877Sensitive Info Insertion into Sent Data in Grafana

CWE-201Sensitive Info Insertion into Sent DataCWE-200Sensitive Information Exposure7 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 97.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GrafanaGithub.com Grafana Grafana
Timeline
PublishedMar 27

Description

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5grafana/grafana9.3.011.6.14+4
NVDgrafana/grafana11.6.1412.0.0+4
Gogithub.com/grafana_grafana1.9.2-0.20221116104934-4ee83a5f2bf41.9.2-0.20260325055210-3522153e07b4+5

🔴Vulnerability Details

4
OSV
CVE-2026-27877: When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards2026-03-27
GHSA
Grafana public dashboards disclose all direct mode datasources2026-03-27
CVEList
Public dashboards discloses all direct mode datasources2026-03-27
OSV
Grafana public dashboards disclose all direct mode datasources2026-03-27

📋Vendor Advisories

1
Red Hat
grafana: Grafana: Information disclosure of data-source passwords via public dashboards2026-03-27

🕵️Threat Intelligence

1
Wiz
CVE-2026-27877 Impact, Exploitability, and Mitigation Steps | Wiz