Grafana vulnerabilities
111 known vulnerabilities affecting grafana/grafana.
Total CVEs
111
CISA KEV
2
actively exploited
Public exploits
13
Exploited in wild
7
Severity breakdown
CRITICAL7HIGH36MEDIUM62LOW6
Vulnerabilities
Page 1 of 6
CVE-2021-39226P1HIGHCVSS 7.3KEVPoCfixed in 7.5.11≥ 8.0.0, < 8.1.6+1 more2021-10-05
CVE-2021-39226 [HIGH] CWE-287 CVE-2021-39226: Grafana is an open source data visualization platform. In affected versions unauthenticated and auth
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauth
nvd
CVE-2021-43798P1HIGHCVSS 7.5KEVPoC≥ 8.0.1, < 8.0.7≥ 8.1.0, < 8.1.8+7 more2021-12-07
CVE-2021-43798 [HIGH] CWE-22 CVE-2021-43798: Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 th
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerabl
nvd
CVE-2020-13379P1HIGHCVSS 8.2ExploitedPoC≥ 3.0.1, ≤ 7.0.12020-06-03
CVE-2020-13379 [HIGH] CWE-918 CVE-2020-13379: The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This v
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid U
nvd
CVE-2025-4123P2MEDIUMCVSS 6.1ExploitedPoCfixed in 10.4.18≥ 11.2.0, < 11.2.9+18 more2025-05-22
CVE-2025-4123 [MEDIUM] CWE-79 CVE-2025-4123: A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path trave
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work
nvd
CVE-2021-27358P1HIGHCVSS 7.5ExploitedPoC≥ 6.7.3, ≤ 7.4.12021-03-18
CVE-2021-27358 [HIGH] CVE-2021-27358: The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
nvd
CVE-2021-41174P2MEDIUMCVSS 6.1ExploitedPoC≥ 8.0.0, < 8.2.3v>= 8.0.0, < 8.2.32021-11-03
CVE-2021-41174 [MEDIUM] CWE-79 CVE-2021-41174: Grafana is an open-source platform for monitoring and observability. In affected versions if an atta
Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be f
nvd
CVE-2025-3415P2MEDIUMCVSS 4.3ExploitedPoC≥ 10.4.x, < 10.4.19+security-01≥ 11.2.x, < 11.2.10+security-01+5 more2025-07-17
CVE-2025-3415 [MEDIUM] CWE-200 CVE-2025-3415: Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing i
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
nvd
CVE-2024-9264P2HIGHCVSS 8.8PoCv11.0.0≥ 11.0.0, < 11.0.5+5 more2024-10-18
CVE-2024-9264 [HIGH] CWE-94 CVE-2024-9264: The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries co
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `
nvd
CVE-2022-26148P1CRITICALCVSS 9.8PoC≤ 7.3.42022-03-21
CVE-2022-26148 [CRITICAL] CWE-312 CVE-2022-26148: An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password c
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password
nvd
CVE-2019-15043P2HIGHCVSS 7.5PoC≥ 2.0.0, < 5.4.5≥ 6.0.0, < 6.3.42019-09-03
CVE-2019-15043 [HIGH] CWE-306 CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
nvd
CVE-2025-6023P2HIGHCVSS 7.6PoC≥ 12.0.x, < 12.0.2+security-01≥ 11.6.x, < 11.6.3+security-01+3 more2025-07-18
CVE-2025-6023 [HIGH] CWE-79 CVE-2025-6023: An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve X
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.
The open redirect can be chained with path traversal vulnerabilities to achieve XSS.
Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.
nvd
CVE-2018-15727P2CRITICALCVSS 9.8≥ 2.0.0, ≤ 2.1.2≥ 3.0.0, ≤ 3.1.1+2 more2018-08-29
CVE-2018-15727 [CRITICAL] CWE-287 CVE-2018-15727: Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
nvd
CVE-2025-41115P2CRITICALCVSS 9.8≥ 12.0.0, < 12.2.12025-11-21
CVE-2025-41115 [CRITICAL] CWE-266 CVE-2025-41115: SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how org
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised
nvd
CVE-2022-31097P2HIGHCVSS 8.7≥ 8.0.0, < 8.3.10≥ 8.4.0, < 8.4.10+6 more2022-07-15
CVE-2022-31097 [HIGH] CWE-79 CVE-2022-31097: Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x bra
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated ad
nvd
CVE-2023-3128P2CRITICALCVSS 9.8≥ 6.7.0, < 8.5.27≥ 9.2.0, < 9.2.20+3 more2023-06-22
CVE-2023-3128 [CRITICAL] CWE-290 CVE-2023-3128: Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email f
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
nvd
CVE-2026-27876P2CRITICALCVSS 9.1fixed in 11.6.0≥ 11.6.14, < 12.0.0+8 more2026-03-27
CVE-2026-27876 [CRITICAL] CWE-94 CVE-2026-27876: A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.
Only instances with the sqlExpressions feature toggle enabled are vulnerable.
O
nvd
CVE-2020-27846P2CRITICALCVSS 9.8fixed in 6.7.5≥ 7.0.0, < 7.2.3+1 more2020-12-21
CVE-2020-27846 [CRITICAL] CWE-115 CVE-2020-27846: A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypas
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
nvd
CVE-2020-11110P3MEDIUMCVSS 5.4PoC≤ 6.7.12020-07-27
CVE-2020-11110 [MEDIUM] CWE-79 CVE-2020-11110: Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl fiel
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
nvd
CVE-2022-24812P3HIGHCVSS 8.8≥ 8.1.0, < 8.4.6v >= 8.1.0-beta1, < 8.4.62022-04-12
CVE-2022-24812 [HIGH] CWE-269 CVE-2022-24812: Grafana is an open-source platform for monitoring and observability. When fine-grained access contro
Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to
nvd
CVE-2024-1442P3HIGHCVSS 8.8≥ 8.5.0, < 9.5.7≥ 10.0.0, < 10.0.12+3 more2024-03-07
CVE-2024-1442 [HIGH] CWE-269 CVE-2024-1442: A user with the permissions to create a data source can use Grafana API to create a data source wit
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
nvd
1 / 6Next →