High severity8.1NVD Advisory· Published Jan 27, 2026· Updated Apr 20, 2026

CVE-2026-21721

Description

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

Affected products

Grafana/Grafana7 versions
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*range: >=10.2.0,<11.6.9
- cpe:2.3:a:grafana:grafana:11.6.9:-:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:12.0.8:-:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:12.1.5:-:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:12.2.3:-:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:12.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:12.3.1:-:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

grafana.com/security/security-advisories/cve-2026-21721nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000