VYPR
High severityNVD Advisory· Published Nov 9, 2022· Updated Jan 28, 2026

Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password

CVE-2022-39307

Description

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/grafana/grafanaGo
>= 9.0.0, < 9.2.49.2.4
github.com/grafana/grafanaGo
< 8.5.158.5.15

Affected products

78

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.