Grafana Enterprise vulnerabilities
14 known vulnerabilities affecting grafana/grafana_enterprise.
Total CVEs
14
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM9
Vulnerabilities
Page 1 of 1
CVE-2025-41115CRITICALCVSS 9.8≥ 12.0.0, < 12.2.12025-11-21
CVE-2025-41115 [CRITICAL] CWE-266 CVE-2025-41115: SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how org
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised
cvelistv5nvd
CVE-2025-3454MEDIUMCVSS 5.0≥ 11.6.0, < 11.6.0+security-01≥ 11.5.0, < 11.5.3+security-01+4 more2025-06-02
CVE-2025-3454 [MEDIUM] CWE-285 CVE-2025-3454: This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by a
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.
Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.
The issue primarily affects datasources that implement route-specific permi
cvelistv5nvd
CVE-2025-2703MEDIUMCVSS 6.8≥ 11.6.0, < 11.6.0+security-01≥ 11.5.0, < 11.5.3+security-01+3 more2025-04-23
CVE-2025-2703 [MEDIUM] CWE-79 CVE-2025-2703: The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability.
A user with Editor permissi
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability.
A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
cvelistv5nvd
CVE-2024-6322MEDIUMCVSS 5.4≥ 11.1.0, < 11.1.1≥ 11.1.2, < 11.1.32024-08-20
CVE-2024-6322 [MEDIUM] CWE-266 CVE-2024-6322: Access control for plugin data sources protected by the ReqActions json field of the plugin.json is
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.
cvelistv5nvd
CVE-2023-6152MEDIUMCVSS 5.4≥ 2.5.0, < 9.5.16≥ 10.0.0, < 10.0.11+3 more2024-02-13
CVE-2023-6152 [MEDIUM] CWE-863 CVE-2023-6152: A user changing their email after signing up and verifying it can change it without verification in
A user changing their email after signing up and verifying it can change it without verification in profile settings.
The configuration option "verify_email_enabled" will only validate email only on sign up.
cvelistv5nvd
CVE-2023-4399HIGHCVSS 7.2≥ 10.1.0, < 10.1.5≥ 10.0.0, < 10.0.9+2 more2023-10-17
CVE-2023-4399 [HIGH] CWE-183 CVE-2023-4399: Grafana is an open-source platform for monitoring and observability.
In Grafana Enterprise, Reques
Grafana is an open-source platform for monitoring and observability.
In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts.
However, the restriction can be bypassed used punycode encoding of the characters in the request address.
cvelistv5nvd
CVE-2023-4822HIGHCVSS 7.2≥ 8.0.0, < 9.4.16≥ 9.5.0, < 9.5.11+2 more2023-10-16
CVE-2023-4822 [HIGH] CWE-269 CVE-2023-4822: Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafa
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations.
It al
cvelistv5nvd
CVE-2023-3128CRITICALCVSS 9.8≥ 9.5.0, < 9.5.4≥ 9.4.0, < 9.4.13+3 more2023-06-22
CVE-2023-3128 [CRITICAL] CWE-290 CVE-2023-3128: Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email f
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
cvelistv5nvd
CVE-2023-2183MEDIUMCVSS 6.4≥ 8.0.0, < 8.5.26≥ 9.0.0, < 9.2.19+3 more2023-06-06
CVE-2023-2183 [MEDIUM] CWE-284 CVE-2023-2183: Grafana is an open-source platform for monitoring and observability.
The option to send a test ale
Grafana is an open-source platform for monitoring and observability.
The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.
This might enable malicious users to
cvelistv5nvd
CVE-2023-2801MEDIUMCVSS 5.3≥ 9.4.0, < 9.4.12≥ 9.5.0, < 9.5.32023-06-06
CVE-2023-2801 [MEDIUM] CWE-820 CVE-2023-2801: Grafana is an open-source platform for monitoring and observability.
Using public dashboards users
Grafana is an open-source platform for monitoring and observability.
Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.
The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by call
cvelistv5nvd
CVE-2023-1387HIGHCVSS 7.5≥ 9.1.0, < 9.2.17≥ 9.3.0, < 9.3.13+1 more2023-04-26
CVE-2023-1387 [HIGH] CWE-200 CVE-2023-1387: Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch,
Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.
By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker h
cvelistv5nvd
CVE-2023-1410MEDIUMCVSS 4.8≥ 8.0.0, < 8.5.22≥ 9.0.0, < 9.2.15+1 more2023-03-23
CVE-2023-1410 [MEDIUM] CWE-79 CVE-2023-1410: Grafana is an open-source platform for monitoring and observability.
Grafana had a stored XSS vuln
Grafana is an open-source platform for monitoring and observability.
Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip.
The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.
An attacker needs to have control over the Graphite data source in order to manipulate
cvelistv5nvd
CVE-2023-0594MEDIUMCVSS 5.4≥ 7.0.0, < 8.5.21≥ 9.0.0, < 9.2.13+1 more2023-03-01
CVE-2023-0594 [MEDIUM] CWE-79 CVE-2023-0594: Grafana is an open-source platform for monitoring and observability.
Starting with the 7.0 branch,
Grafana is an open-source platform for monitoring and observability.
Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization.
The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources a
cvelistv5nvd
CVE-2023-0507MEDIUMCVSS 5.4≥ 8.1.0, < 8.5.21≥ 9.0.0, < 9.2.13+1 more2023-03-01
CVE-2023-0507 [MEDIUM] CWE-79 CVE-2023-0507: Grafana is an open-source platform for monitoring and observability.
Starting with the 8.1 branch,
Grafana is an open-source platform for monitoring and observability.
Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap.
The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authori
cvelistv5nvd