CVE-2026-27877
published 2026-03-27CVE-2026-27877: When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.31%
22.5th percentile
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 1.9.2-0.20221116104934-4ee83a5f2bf4 < 1.9.2-0.20260325055210-3522153e07b4 | 1.9.2-0.20260325055210-3522153e07b4 |
| github.com | grafana_grafana | >= 12.0.0 | — |
| github.com | grafana_grafana | >= 12.2.0 | — |
| github.com | grafana_grafana | >= 12.3.0 | — |
| github.com | grafana_grafana | >= 12.4.0 | — |
| github.com | grafana_grafana | >= 9.3.0 | — |
| grafana | grafana | < 9.3.0 | 9.3.0 |
| grafana | grafana | >= 11.6.14 < 12.0.0 | 12.0.0 |
| grafana | grafana | >= 12.0.0 < 12.1.10 | 12.1.10 |
| grafana | grafana | >= 12.1.10 < 12.2.0 | 12.2.0 |
| grafana | grafana | >= 12.2.0 < 12.2.8 | 12.2.8 |
| grafana | grafana | >= 12.2.8 < 12.3.0 | 12.3.0 |
| grafana | grafana | >= 12.3.0 < 12.3.6 | 12.3.6 |
| grafana | grafana | >= 12.3.6 < 12.4.0 | 12.4.0 |
| grafana | grafana | >= 12.4.0 < 12.4.2 | 12.4.2 |
| grafana | grafana | >= 9.3.0 < 11.6.14 | 11.6.14 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-27877: When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards
osv·2026-03-27·CVSS 7.5
CVE-2026-27877 [HIGH] CVE-2026-27877: When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
GHSA
Grafana public dashboards disclose all direct mode datasources
ghsa·2026-03-27
CVE-2026-27877 [MEDIUM] CWE-200 Grafana public dashboards disclose all direct mode datasources
Grafana public dashboards disclose all direct mode datasources
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
OSV
Grafana public dashboards disclose all direct mode datasources
osv·2026-03-27
CVE-2026-27877 [MEDIUM] Grafana public dashboards disclose all direct mode datasources
Grafana public dashboards disclose all direct mode datasources
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Red Hat
grafana: Grafana: Information disclosure of data-source passwords via public dashboards
vendor_redhat·2026-03-27·CVSS 6.5
CVE-2026-27877 [MEDIUM] CWE-201 grafana: Grafana: Information disclosure of data-source passwords via public dashboards
grafana: Grafana: Information disclosure of data-source passwords via public dashboards
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
A flaw was found in Grafana. When public dashboards are used with direct data-sources, sensitive credentials, specifically passwords for all direct data-sources, are exposed. This information disclosure occurs even when these data-sources are not actively utilized in the dashboards. A remote attacker could exploit this to gain unauthorized access to other systems.
Mitigation: Mitiga
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27877 grafana: Grafana: Information disclosure of data-source passwords via public dashboards
bugzilla·2026-03-27·CVSS 7.5
CVE-2026-27877 [HIGH] CVE-2026-27877 grafana: Grafana: Information disclosure of data-source passwords via public dashboards
CVE-2026-27877 grafana: Grafana: Information disclosure of data-source passwords via public dashboards
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:10223 https://access.redhat.com/errata/RHSA-2026:10223
Wiz
CVE-2026-27877 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-27877 [MEDIUM] CVE-2026-27877 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27877 :
Grafana vulnerability analysis and mitigation
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 6.5
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-prometheus
grafana-fips-12.4
Sources
Chainguard Has
https://grafana.com/security/security-advisories/cve-2026-27877https://access.redhat.com/errata/RHSA-2026:10223https://access.redhat.com/errata/RHSA-2026:10226https://access.redhat.com/errata/RHSA-2026:11416https://access.redhat.com/errata/RHSA-2026:11417https://access.redhat.com/errata/RHSA-2026:19134https://access.redhat.com/errata/RHSA-2026:19352https://access.redhat.com/security/cve/CVE-2026-27877https://bugzilla.redhat.com/show_bug.cgi?id=2452293https://grafana.com/security/security-advisories/cve-2026-27877https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27877.json
2026-03-27
Published