High severity8.3GHSA Advisory· Published Jun 2, 2025· Updated Apr 15, 2026
CVE-2025-3260
CVE-2025-3260
Description
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).
Impact:
- Viewers can view all dashboards/folders regardless of permissions
- Editors can view/edit/delete all dashboards/folders regardless of permissions
- Editors can create dashboards in any folder regardless of permissions
- Anonymous users with viewer/editor roles are similarly affected
Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafanaGo | >= 0.0.0-20250114093457-36d6fad421fb, < 0.0.0-20250521183405-c7a690348df7 | 0.0.0-20250521183405-c7a690348df7 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/grafana-fips-11.6pkg:apk/chainguard/grafana-fips-12.2pkg:apk/chainguard/grafana-fips-12.3pkg:apk/chainguard/grafana-fips-12.4pkg:apk/chainguard/grafana-fips-13.0pkg:bitnami/grafanapkg:golang/github.com/grafana/grafanapkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0+ 7 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 11.6.0, < 11.6.1
- (no CPE)range: >= 0.0.0-20250114093457-36d6fad421fb, < 0.0.0-20250521183405-c7a690348df7
- (no CPE)range: < 0.0.20250612T141001-1.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-3px7-c4j3-576rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3260ghsaADVISORY
- github.com/grafana/grafana/blob/be8d153dc33734caba4f617ff571d18253e68fa0/CHANGELOG.mdghsaWEB
- grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454ghsaWEB
- grafana.com/security/security-advisories/CVE-2025-3260ghsaWEB
- grafana.com/security/security-advisories/CVE-2025-3260/nvd
News mentions
0No linked articles in our index yet.