Github.Com Grafana Grafana vulnerabilities

CVE-2026-27877 [MEDIUM] CWE-200 Grafana public dashboards disclose all direct mode datasources Grafana public dashboards disclose all direct mode datasources When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

CVE-2025-41115 [CRITICAL] CWE-266 Grafana Incorrect Privilege Assignment vulnerability Grafana Incorrect Privilege Assignment vulnerability SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM clie

CVE-2025-6023 [HIGH] CWE-79 Grafana is vulnerable to XSS attacks through open redirects and path traversal Grafana is vulnerable to XSS attacks through open redirects and path traversal An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.

CVE-2025-3415 [MEDIUM] CWE-200 Grafana's insecure DingDing Alert integration exposes sensitive information Grafana's insecure DingDing Alert integration exposes sensitive information Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6

CVE-2025-1088 [LOW] CWE-20 Grafana long dashboard title or panel name causes unresponsives Grafana long dashboard title or panel name causes unresponsives In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.

CVE-2025-3260 [HIGH] CWE-863 Grafana vulnerable to authenticated users bypassing dashboard, folder permissions Grafana vulnerable to authenticated users bypassing dashboard, folder permissions A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors

CVE-2025-3454 [MEDIUM] CWE-285 Grafana's datasource proxy API allows authorization checks to be bypassed Grafana's datasource proxy API allows authorization checks to be bypassed This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources th

CVE-2025-4123 [HIGH] CWE-79 Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabl

CVE-2024-11741 [MEDIUM] CWE-200 Grafana Alerting VictorOps integration could be exposed to users with Viewer permission Grafana Alerting VictorOps integration could be exposed to users with Viewer permission Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15

CVE-2024-10452 [LOW] CWE-639 Grafana org admin can delete pending invites in different org Grafana org admin can delete pending invites in different org Organization admins can delete pending invites created in an organization they are not part of.

CVE-2024-9264 [CRITICAL] CWE-77 Grafana Command Injection And Local File Inclusion Via Sql Expressions Grafana Command Injection And Local File Inclusion Via Sql Expressions The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable

CVE-2024-6322 [MEDIUM] CWE-266 Grafana plugin data sources vulnerable to access control bypass Grafana plugin data sources vulnerable to access control bypass Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

CVE-2021-41244 [CRITICAL] CWE-610 Grafana Fine-grained access control vulnerability Grafana Fine-grained access control vulnerability ### Impact On Nov. 2, during an internal security audit, we discovered that when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in whi

CVE-2022-39201 [HIGH] CWE-200 Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-39201 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix th

CVE-2022-31130 [HIGH] CWE-200 Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. R

CVE-2022-39328 [HIGH] CWE-362 Grafana Race condition allowing privilege escalation Grafana Race condition allowing privilege escalation Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes critical security fixes for CVE-2022-39328. Release 9.2.4, latest patch, also containing security fix: - [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4) Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as al

CVE-2022-39306 [HIGH] CWE-20 Grafana Email addresses and usernames can not be trusted Grafana Email addresses and usernames can not be trusted Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes moderate severity security fixes for CVE-2022-39306. We are also releasing security patches for Grafana 8.5.15 to fix these issues. Release 9.2.4, latest patch, also containing security fix: - [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4

CVE-2022-31123 [HIGH] CWE-347 Grafana Plugin signature bypass Grafana Plugin signature bypass Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31123 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also containing security fix: - [Download Grafana 9.2](https://grafana.com/grafana/download/9.2) Release 9.1.8, only

CVE-2022-31107 [HIGH] CWE-863 Grafana account takeover via OAuth vulnerability Grafana account takeover via OAuth vulnerability Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for an Oauth takeover vulnerability in Grafana. Release v.9.0.3, containing this security fix and other patches: - [Download Grafana 9.0.3](https://grafana.com/grafana/download/9.0.3) - [Release notes](https://grafana.com/docs/grafana/next/release-

CVE-2022-31097 [HIGH] CWE-79 Grafana Stored Cross-site Scripting in Unified Alerting Grafana Stored Cross-site Scripting in Unified Alerting Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for a stored Cross Site Scripting in Grafana. Release v.9.0.3, containing this security fix and other patches: - [Download Grafana 9.0.3](https://grafana.com/grafana/download/9.0.3) - [Release notes](https://grafana.com/docs/grafana/ne