High severity8.1NVD Advisory· Published Jan 27, 2026· Updated Apr 20, 2026
CVE-2026-21721
CVE-2026-21721
Description
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
45cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*range: >=10.2.0,<11.6.9
- cpe:2.3:a:grafana:grafana:11.6.9:-:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:12.0.8:-:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:12.1.5:-:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:12.2.3:-:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:12.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:12.3.1:-:*:*:*:*:*:*
- (no CPE)
- osv-coords37 versionspkg:apk/chainguard/grafana-11.5pkg:apk/wolfi/grafana-11.5pkg:bitnami/grafanapkg:rpm/almalinux/grafanapkg:rpm/almalinux/grafana-selinuxpkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/golang-github-boynux-squid_exporter&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/golang-github-lusitaniae-apache_exporter&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/golang-github-prometheus-promu&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/golang-github-QubitProducts-exporter_exporter&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/grafana&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/prometheus-blackbox_exporter&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/golang-github-prometheus-promu&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/grafana&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/grafana&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-Micro-5pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacecmd&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/uyuni-tools&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-tools&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/uyuni-tools&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/uyuni-tools&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-Micro-5
< 11.5.10-r2+ 36 more
- (no CPE)range: < 11.5.10-r2
- (no CPE)range: < 11.5.10-r2
- (no CPE)range: >= 10.2.0, < 11.6.9
- (no CPE)range: < 10.2.6-22.el10_1
- (no CPE)range: < 10.2.6-22.el10_1
- (no CPE)range: < 1.1.0-150000.1.65.1
- (no CPE)range: < 1.13.0-150000.1.12.1
- (no CPE)range: < 1.0.10-150000.1.26.1
- (no CPE)range: < 0.17.0-150000.3.30.1
- (no CPE)range: < 0.4.0-150000.1.21.1
- (no CPE)range: < 11.6.11-150200.3.83.1
- (no CPE)range: < 11.6.14+security01-1.1
- (no CPE)range: < 0.26.0-150000.1.30.2
- (no CPE)range: < 5.0.15-150000.3.142.1
- (no CPE)range: < 1.1.0-150000.1.65.1
- (no CPE)range: < 1.1.0-150000.1.65.1
- (no CPE)range: < 1.13.0-150000.1.12.1
- (no CPE)range: < 1.0.10-150000.1.26.1
- (no CPE)range: < 1.0.10-150002.3.6.1
- (no CPE)range: < 3.5.0-150000.3.67.1
- (no CPE)range: < 3.5.0-150002.3.8.1
- (no CPE)range: < 0.17.0-150000.3.30.1
- (no CPE)range: < 0.4.0-150000.1.21.1
- (no CPE)range: < 0.4.0-150000.1.21.1
- (no CPE)range: < 11.6.11-150200.3.83.1
- (no CPE)range: < 11.6.11-150000.1.90.1
- (no CPE)range: < 11.6.14+security01-150002.4.14.1
- (no CPE)range: < 0.26.0-150000.1.30.2
- (no CPE)range: < 0.26.0-150000.1.30.2
- (no CPE)range: < 0.26.0-150002.3.6.1
- (no CPE)range: < 0.26.0-150002.3.6.1
- (no CPE)range: < 5.0.15-150000.3.142.1
- (no CPE)range: < 5.1.13-150002.3.9.3
- (no CPE)range: < 0.1.38-150000.1.30.1
- (no CPE)range: < 0.1.38-150000.1.30.1
- (no CPE)range: < 5.1.26-150002.3.12.1
- (no CPE)range: < 5.1.26-150002.3.12.1
Patches
Vulnerability mechanics
References
1- grafana.com/security/security-advisories/cve-2026-21721nvdVendor Advisory
News mentions
0No linked articles in our index yet.