CVE-2022-2531
Description
An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab was not performing correct authentication on Grafana API under specific conditions allowing unauthenticated users to perform queries through a path traversal vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE fails to authenticate Grafana API requests, allowing unauthenticated users to query any datasource via path traversal.
Vulnerability
A path traversal vulnerability exists in the GitLab EE Grafana integration, specifically in the /grafana/proxy endpoint. Affected versions are GitLab EE from 12.5 before 15.0.5, from 15.1 before 15.1.4, and from 15.2 before 15.2.1. The integration incorrectly delegates API calls to a configured Grafana server without verifying that the requesting user is authenticated to access that Grafana instance. This allows an unauthenticated attacker to make requests to any Grafana datasource that has proxy access enabled, such as Prometheus or SQL databases [1].
Exploitation
An attacker does not need authentication to GitLab EE. By crafting requests to the /grafana/proxy endpoint with a path that traverses to the Grafana API, the attacker can impersonate the victim Grafana integration's admin token. The attacker sends a specially crafted HTTP request to the vulnerable endpoint, which GitLab then forwards to the Grafana server as if it came from the configured integration [1]. No user interaction or special network position is required beyond network access to the GitLab instance.
Impact
Successful exploitation allows an unauthenticated attacker to perform authenticated queries to any Grafana datasource configured with proxy access. This can lead to unauthorized access to sensitive metrics data stored in Prometheus, SQL databases, or other datasources. The attacker gains the same access level as the Grafana admin token used for the integration, potentially enabling data exfiltration or information disclosure [1].
Mitigation
GitLab released fixed versions: 15.0.5, 15.1.4, and 15.2.1. Users should upgrade immediately to these versions or later. No workaround is available. Affected instances should upgrade to patch the authentication bypass [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.5, <15.0.5 || >=15.1, <15.1.4 || >=15.2, <15.2.1
- Range: >=12.5, <15.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication and authorization checks on the `/grafana/proxy` endpoint allow unauthenticated users to make arbitrary proxy requests to any Grafana datasource using the configured Admin API token."
Attack vector
An unauthenticated attacker sends a GET request to `/-/grafana/proxy/{datasource_id}/{proxy_path}` on a public project that has the Grafana integration enabled. The first request may return a 204 (redirect); repeating the same request (with a cache-busting query parameter) returns the Grafana datasource response. Because the endpoint does not enforce authentication or restrict which datasource ID is used, the attacker can enumerate datasource IDs (starting from 1) and issue arbitrary API calls to any Grafana datasource that has proxy access enabled, including Prometheus, Elasticsearch, or SQL databases [ref_id=1].
Affected code
The vulnerable endpoint is `/group/project/-/grafana/proxy` handled by `app/controllers/projects/grafana_api_controller.rb`. The backend call `proxy_datasource` in `lib/grafana/client.rb` forwards requests to `{api_url}/api/datasources/proxy/{datasource_id}/{proxy_path}` without validating which datasource is targeted or whether the user is authenticated [ref_id=1].
What the fix does
The advisory does not include a published patch diff. The recommended fix is to add authentication checks and input validation to the `/grafana/proxy` endpoint so that only authorized users can make proxy requests, and to restrict which datasource IDs and proxy paths are allowed. The issue was addressed in GitLab EE versions 15.0.5, 15.1.4, and 15.2.1 [ref_id=1].
Preconditions
- configThe target GitLab project must have the Grafana integration enabled with an Admin-level Grafana API token configured
- authThe target project must be public (or the attacker must have at least Guest access)
- networkThe attacker must be able to reach the GitLab instance over HTTP/HTTPS
- inputThe attacker sends crafted HTTP GET requests to the /grafana/proxy endpoint with a numeric datasource ID and arbitrary proxy path
Reproduction
1. Set up a public GitLab project with the Grafana integration enabled (Grafana URL + Admin API token). 2. Ensure a Prometheus datasource exists in Grafana and note its numeric ID (e.g., 10). 3. As an unauthenticated user, visit: `https://gitlab.com/GROUP/PROJECT/-/grafana/proxy/10/api/v1/labels?a=a` - First request returns a 204 redirect. 4. Repeat the same request: `https://gitlab.com/GROUP/PROJECT/-/grafana/proxy/10/api/v1/labels?query=a` - The response contains JSON data from the Prometheus server [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2531.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/364252mitrex_refsource_MISC
- hackerone.com/reports/1566306mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.