Low severity2.6NVD Advisory· Published Feb 25, 2026· Updated May 10, 2026
CVE-2026-21725
CVE-2026-21725
Description
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.
This requires several very stringent conditions to be met:
- The attacker must have admin access to the specific datasource prior to its first deletion.
- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.
- The attacker must delete the datasource, then someone must recreate it.
- The new datasource must not have the attacker as an admin.
- The new datasource must have the same UID as the prior datasource. These are randomised by default.
- The datasource can now be re-deleted by the attacker.
- Once 30 seconds are up, the attack is spent and cannot be repeated.
- No datasource with any other UID can be attacked.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
16- osv-coords13 versionspkg:apk/chainguard/grafana-12.4pkg:apk/wolfi/grafana-12.4pkg:bitnami/grafanapkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/grafana&distro=openSUSE%20Tumbleweedpkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/grafana&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-Micro-5pkg:rpm/suse/spacecmd&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/uyuni-tools&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/uyuni-tools&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-Micro-5
< 12.4.1-r0+ 12 more
- (no CPE)range: < 12.4.1-r0
- (no CPE)range: < 12.4.1-r0
- (no CPE)range: >= 11.0.0, < 12.4.1
- (no CPE)range: < 11.6.14+security04-bp160.1.1
- (no CPE)range: < 11.6.14+security01-1.1
- (no CPE)range: < 1.0.10-150002.3.6.1
- (no CPE)range: < 3.5.0-150002.3.8.1
- (no CPE)range: < 11.6.14+security01-150002.4.14.1
- (no CPE)range: < 0.26.0-150002.3.6.1
- (no CPE)range: < 0.26.0-150002.3.6.1
- (no CPE)range: < 5.1.13-150002.3.9.3
- (no CPE)range: < 5.1.26-150002.3.12.1
- (no CPE)range: < 5.1.26-150002.3.12.1
Patches
Vulnerability mechanics
References
1- grafana.com/security/security-advisories/cve-2026-21725nvdVendor Advisory
News mentions
0No linked articles in our index yet.