VYPR
High severity8.3GHSA Advisory· Published Jun 2, 2025· Updated Apr 15, 2026

CVE-2025-3260

CVE-2025-3260

Description

A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).

Impact:

  • Viewers can view all dashboards/folders regardless of permissions
  • Editors can view/edit/delete all dashboards/folders regardless of permissions
  • Editors can create dashboards in any folder regardless of permissions
  • Anonymous users with viewer/editor roles are similarly affected

Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/grafana/grafanaGo
>= 0.0.0-20250114093457-36d6fad421fb, < 0.0.0-20250521183405-c7a690348df70.0.0-20250521183405-c7a690348df7

Affected products

9

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.