High severityNVD Advisory· Published Nov 9, 2022· Updated Jan 28, 2026

Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password

CVE-2022-39307

Description

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/grafana/grafanaGo	>= 9.0.0, < 9.2.4	9.2.4
github.com/grafana/grafanaGo	< 8.5.15	8.5.15

Affected products

Grafana/Grafanav5
Range: >= v9.0.0-beta1, < 9.2.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-3p62-42x7-gxg5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-39307ghsaADVISORY
github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5ghsaWEB
security.netapp.com/advisory/ntap-20221215-0004ghsaWEB
security.netapp.com/advisory/ntap-20221215-0004/mitre

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000