cbcvebase.
CVE-2026-27877
published 2026-03-27

CVE-2026-27877: When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of…

PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.31%
22.5th percentile
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

Affected

16 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 1.9.2-0.20221116104934-4ee83a5f2bf4 < 1.9.2-0.20260325055210-3522153e07b41.9.2-0.20260325055210-3522153e07b4
github.comgrafana_grafana>= 12.0.0
github.comgrafana_grafana>= 12.2.0
github.comgrafana_grafana>= 12.3.0
github.comgrafana_grafana>= 12.4.0
github.comgrafana_grafana>= 9.3.0
grafanagrafana< 9.3.09.3.0
grafanagrafana>= 11.6.14 < 12.0.012.0.0
grafanagrafana>= 12.0.0 < 12.1.1012.1.10
grafanagrafana>= 12.1.10 < 12.2.012.2.0
grafanagrafana>= 12.2.0 < 12.2.812.2.8
grafanagrafana>= 12.2.8 < 12.3.012.3.0
grafanagrafana>= 12.3.0 < 12.3.612.3.6
grafanagrafana>= 12.3.6 < 12.4.012.4.0
grafanagrafana>= 12.4.0 < 12.4.212.4.2
grafanagrafana>= 9.3.0 < 11.6.1411.6.14

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.