Github.Com Grafana Grafana vulnerabilities
61 known vulnerabilities affecting github.com/grafana_grafana.
Total CVEs
61
CISA KEV
2
actively exploited
Public exploits
9
Exploited in wild
6
Severity breakdown
CRITICAL5HIGH18MEDIUM35LOW3
Vulnerabilities
Page 1 of 4
CVE-2021-39226P1HIGHCVSS 7.3KEVPoC≥ 0, < 7.5.11≥ 8.0.0, < 8.1.62021-10-05
CVE-2021-39226 [HIGH] CWE-287 Authentication bypass for viewing and deletions of snapshots
Authentication bypass for viewing and deletions of snapshots
Today we are releasing Grafana 7.5.11, and 8.1.6. These patch releases include an important security fix for an issue that affects all Grafana versions from 2.0.1.
[Grafana Cloud](https://grafana.com/cloud) instances have already been patched and an audit did not find any usage of this attack vector. [Grafana Enterprise](https://grafana.com/pro
ghsaosv
CVE-2021-43798P1HIGHCVSS 7.5KEVPoC≥ 8.3.0, < 8.3.1≥ 8.2.0, < 8.2.7+2 more2024-02-01
CVE-2021-43798 [HIGH] CWE-22 Grafana path traversal
Grafana path traversal
Today we are releasing Grafana 8.3.1, 8.2.7, 8.1.8, 8.0.7. This patch release includes a high severity security fix that affects Grafana versions from v8.0.0-beta1 through v8.3.0.
Release v8.3.1, only containing a security fix:
- [Download Grafana 8.3.1](https://grafana.com/grafana/download/8.3.1)
- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-1/)
Release v8.2.7, only contain
ghsaosv
CVE-2020-13379P1MEDIUMExploitedPoC≥ 3.0.1, < 6.7.4≥ 7.0.0, < 7.0.22022-02-15
CVE-2020-13379 [MEDIUM] CWE-918 Server Side Request Forgery in Grafana
Server Side Request Forgery in Grafana
The avatar feature in Grafana (github.com/grafana/grafana/pkg/api/avatar) 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue that allows remote code execution. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is
ghsaosv
CVE-2025-4123P2HIGHExploitedPoC≥ 0, < 0.0.0-20250521183405-c7a690348df72025-05-22
CVE-2025-4123 [HIGH] CWE-79 Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabl
ghsaosv
CVE-2021-27358P1MEDIUMExploitedPoC≥ 6.7.3, < 7.4.22022-02-15
CVE-2021-27358 [MEDIUM] CWE-306 Denial of service in Grafana
Denial of service in Grafana
The snapshot feature in Grafana before 7.4.2 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
### Specific Go Packages Affected
github.com/grafana/grafana/pkg/middleware
ghsaosv
CVE-2025-3415P2MEDIUMExploitedPoC≥ 0, < 1.9.2-0.20250514160932-04111e9f2afd2025-07-17
CVE-2025-3415 [MEDIUM] CWE-200 Grafana's insecure DingDing Alert integration exposes sensitive information
Grafana's insecure DingDing Alert integration exposes sensitive information
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6
ghsaosv
CVE-2024-9264P2CRITICALPoC≥ 11.0.0, < 11.0.6+security-01≥ 11.1.0, < 11.1.7+security-01+1 more2024-10-18
CVE-2024-9264 [CRITICAL] CWE-77 Grafana Command Injection And Local File Inclusion Via Sql Expressions
Grafana Command Injection And Local File Inclusion Via Sql Expressions
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable
ghsaosv
CVE-2025-6023P2HIGHPoC≥ 0, < 1.9.2-0.20250521205822-0ba0b99665a92025-07-18
CVE-2025-6023 [HIGH] CWE-79 Grafana is vulnerable to XSS attacks through open redirects and path traversal
Grafana is vulnerable to XSS attacks through open redirects and path traversal
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.
The open redirect can be chained with path traversal vulnerabilities to achieve XSS.
Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.
ghsaosv
CVE-2018-15727P2CRITICAL≥ 0, < 4.6.4≥ 5.0.0, < 5.2.32022-02-15
CVE-2018-15727 [CRITICAL] CWE-287 Grafana Authentication Bypass
Grafana Authentication Bypass
Grafana before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
### Specific Go Packages Affected
github.com/grafana/grafana/pkg/api
ghsaosv
CVE-2022-31097P2HIGHCVSS 8.7≥ 9.0.0, < 9.0.3≥ 8.5.0, < 8.5.9+2 more2024-05-14
CVE-2022-31097 [HIGH] CWE-79 Grafana Stored Cross-site Scripting in Unified Alerting
Grafana Stored Cross-site Scripting in Unified Alerting
Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for a stored Cross Site Scripting in Grafana.
Release v.9.0.3, containing this security fix and other patches:
- [Download Grafana 9.0.3](https://grafana.com/grafana/download/9.0.3)
- [Release notes](https://grafana.com/docs/grafana/ne
ghsaosv
CVE-2025-41115P2CRITICAL≥ 12.0.0, < 12.0.7≥ 12.1.0, < 12.1.4+2 more2025-11-21
CVE-2025-41115 [CRITICAL] CWE-266 Grafana Incorrect Privilege Assignment vulnerability
Grafana Incorrect Privilege Assignment vulnerability
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM clie
ghsaosv
CVE-2023-3128P2CRITICAL≥ 9.4.0, < 9.4.13≥ 9.3.0, < 9.3.16+2 more2023-06-22
CVE-2023-3128 [CRITICAL] CWE-290 Grafana vulnerable to Authentication Bypass by Spoofing
Grafana vulnerable to Authentication Bypass by Spoofing
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
ghsaosv
CVE-2020-11110P3MEDIUMPoC≥ 0, < 6.7.22022-05-24
CVE-2020-11110 [MEDIUM] CWE-79 Grafana stored XSS
Grafana stored XSS
Grafana through 6.7.1 allows stored XSS.
ghsaosv
CVE-2024-1442P3HIGH≥ 8.5.0, < 9.5.7≥ 10.0.0, < 10.0.12+3 more2024-03-07
CVE-2024-1442 [HIGH] CWE-269 Grafana's users with permissions to create a data source can CRUD all data sources
Grafana's users with permissions to create a data source can CRUD all data sources
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
ghsaosv
CVE-2025-3260P3HIGH≥ 0.0.0-20250114093457-36d6fad421fb, < 0.0.0-20250521183405-c7a690348df72025-06-02
CVE-2025-3260 [HIGH] CWE-863 Grafana vulnerable to authenticated users bypassing dashboard, folder permissions
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).
Impact:
- Viewers can view all dashboards/folders regardless of permissions
- Editors
ghsaosv
CVE-2026-33381P3MEDIUM≥ 0, < 1.9.2-0.20260513165311-fb7336fc36c12026-05-13
CVE-2026-33381 [MEDIUM] CWE-284 Grafana: Users can generate Service Account tokens after permissions removal
Grafana: Users can generate Service Account tokens after permissions removal
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
ghsa
CVE-2022-39328P3HIGHCVSS 8.1≥ 9.2.0, < 9.2.42024-05-14
CVE-2022-39328 [HIGH] CWE-362 Grafana Race condition allowing privilege escalation
Grafana Race condition allowing privilege escalation
Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes critical security fixes for CVE-2022-39328.
Release 9.2.4, latest patch, also containing security fix:
- [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4)
Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as al
ghsaosv
CVE-2022-31107P3HIGHCVSS 7.5≥ 5.3.0-beta1, < 8.3.10≥ 8.4.0, < 8.4.10+2 more2024-05-14
CVE-2022-31107 [HIGH] CWE-863 Grafana account takeover via OAuth vulnerability
Grafana account takeover via OAuth vulnerability
Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for an Oauth takeover vulnerability in Grafana.
Release v.9.0.3, containing this security fix and other patches:
- [Download Grafana 9.0.3](https://grafana.com/grafana/download/9.0.3)
- [Release notes](https://grafana.com/docs/grafana/next/release-
ghsaosv
CVE-2022-31130P3HIGHCVSS 7.5≥ 9.0.0, < 9.1.8≥ 7.0.0, < 8.5.142024-05-14
CVE-2022-31130 [HIGH] CWE-200 Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130
We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues.
R
ghsaosv
CVE-2019-13068P3MEDIUM≥ 0, < 6.2.52022-05-24
CVE-2019-13068 [MEDIUM] CWE-79 Grafana Cross-site Scripting vulnerability
Grafana Cross-site Scripting vulnerability
`public/app/features/panel/panel_ctrl.ts` in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field).
ghsaosv
1 / 4Next →