Grafana vulnerabilities

CVE-2026-27876 [CRITICAL] CWE-94 CVE-2026-27876: A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. O

CVE-2026-27880 [HIGH] CWE-787 CVE-2026-27880: The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cau The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

CVE-2026-27877 [HIGH] CVE-2026-27877: When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

CVE-2026-28375 [MEDIUM] CWE-400 CVE-2026-28375: A testdata data-source can be used to trigger out-of-memory crashes in Grafana. A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

CVE-2026-27879 [MEDIUM] CWE-787 CVE-2026-27879: A resample query can be used to trigger out-of-memory crashes in Grafana. A resample query can be used to trigger out-of-memory crashes in Grafana.

CVE-2026-33375 [MEDIUM] CWE-400 CVE-2026-33375: The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

CVE-2026-21725 [LOW] CWE-367 CVE-2026-21725: A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sou A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must h

CVE-2026-21722 [MEDIUM] CWE-200 CVE-2026-21722: Public dashboards with annotations enabled did not limit their annotation timerange to the locked ti Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the publ

CVE-2025-41117 [MEDIUM] CWE-79 CVE-2025-41117: Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.

CVE-2026-21720 [HIGH] CWE-400 CVE-2026-21720: Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the re Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping thi

CVE-2025-41115 [CRITICAL] CWE-266 CVE-2025-41115: SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how org SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised

CVE-2025-6023 [HIGH] CWE-79 CVE-2025-6023: An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve X An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.

CVE-2025-6197 [MEDIUM] CWE-601 CVE-2025-6197: An open redirect vulnerability has been identified in Grafana OSS organization switching functionali An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL

CVE-2025-3415 [MEDIUM] CWE-200 CVE-2025-3415: Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing i Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

CVE-2025-1088 [LOW] CWE-20 CVE-2025-1088: In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.

CVE-2025-3260 [HIGH] CWE-863 CVE-2025-3260: A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users t A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders rega

CVE-2025-3454 [MEDIUM] CWE-285 CVE-2025-3454: This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by a This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permi

CVE-2025-3580 [MEDIUM] CWE-284 CVE-2025-3580: An access control vulnerability was discovered in Grafana OSS where an Organization administrator co An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not

CVE-2025-4123 [MEDIUM] CWE-79 CVE-2025-4123: A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path trave A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work

CVE-2025-2703 [MEDIUM] CWE-79 CVE-2025-2703: The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissi The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.