Grafana
by Grafana
Source repositories
CVEs (86)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-21721 | Hig | 0.53 | 8.1 | 0.00 | Jan 27, 2026 | The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an… | ||
| CVE-2025-4123 | Hig | 0.53 | 7.6 | 0.94 | May 22, 2025 | A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not… | ||
| CVE-2026-27876 | Cri | 0.52 | 9.1 | 0.02 | Mar 27, 2026 | A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only… | ||
| CVE-2026-33376 | Hig | 0.48 | 7.4 | 0.00 | May 13, 2026 | When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are… | ||
| CVE-2025-3260 | Hig | 0.47 | 8.3 | 0.00 | Jun 2, 2025 | A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders… | ||
| CVE-2026-33377 | Hig | 0.46 | 7.1 | 0.00 | May 13, 2026 | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege. | ||
| CVE-2025-6023 | Hig | 0.45 | 7.6 | 0.38 | Jul 18, 2025 | An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions… | ||
| CVE-2026-33378 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server. | ||
| CVE-2026-28383 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service. | ||
| CVE-2026-28380 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | Any Editor could delete any snapshot, even if they have no access to read or write them. | ||
| CVE-2026-28379 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server. | ||
| CVE-2026-28376 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue. | ||
| CVE-2026-27880 | Hig | 0.42 | 7.5 | 0.01 | Mar 27, 2026 | The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. | ||
| CVE-2024-1313 | Med | 0.42 | 6.5 | 0.01 | Mar 26, 2024 | It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the… | ||
| CVE-2025-3580 | Med | 0.36 | 5.5 | 0.00 | May 23, 2025 | An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An… | ||
| CVE-2025-12141 | Med | 0.35 | 6.5 | 0.00 | Apr 15, 2026 | In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic… | ||
| CVE-2026-28375 | Med | 0.35 | 6.5 | 0.00 | Mar 27, 2026 | A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | ||
| CVE-2026-27879 | Med | 0.35 | 6.5 | 0.00 | Mar 27, 2026 | A resample query can be used to trigger out-of-memory crashes in Grafana. | ||
| CVE-2026-27877 | Med | 0.35 | 6.5 | 0.00 | Mar 27, 2026 | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as… | ||
| CVE-2026-33375 | Med | 0.35 | 6.5 | 0.00 | Mar 26, 2026 | The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container. |
- risk 0.53cvss 8.1epss 0.00
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an…
- risk 0.53cvss 7.6epss 0.94
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not…
- risk 0.52cvss 9.1epss 0.02
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only…
- risk 0.48cvss 7.4epss 0.00
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are…
- risk 0.47cvss 8.3epss 0.00
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders…
- risk 0.46cvss 7.1epss 0.00
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
- risk 0.45cvss 7.6epss 0.38
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions…
- risk 0.42cvss 6.5epss 0.00
Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.
- risk 0.42cvss 6.5epss 0.00
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
- risk 0.42cvss 6.5epss 0.00
Any Editor could delete any snapshot, even if they have no access to read or write them.
- risk 0.42cvss 6.5epss 0.00
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
- risk 0.42cvss 6.5epss 0.00
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
- risk 0.42cvss 7.5epss 0.01
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
- risk 0.42cvss 6.5epss 0.01
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the…
- risk 0.36cvss 5.5epss 0.00
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An…
- risk 0.35cvss 6.5epss 0.00
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic…
- risk 0.35cvss 6.5epss 0.00
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
- risk 0.35cvss 6.5epss 0.00
A resample query can be used to trigger out-of-memory crashes in Grafana.
- risk 0.35cvss 6.5epss 0.00
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as…
- risk 0.35cvss 6.5epss 0.00
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Page 1 of 5