Grafana Enterprise
by Grafana
Source repositories
CVEs (19)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-9476 | Med | 0.33 | — | 0.00 | Nov 13, 2024 | A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who… | ||
| CVE-2023-0507 | 0.05 | — | 0.15 | Mar 1, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and… | |||
| CVE-2023-0594 | 0.03 | — | 0.09 | Mar 1, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not… | |||
| CVE-2025-41117 | 0.00 | — | 0.00 | Feb 12, 2026 | Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected;… | |||
| CVE-2026-21722 | 0.00 | — | 0.00 | Feb 12, 2026 | Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did… | |||
| CVE-2025-41115 | 0.00 | — | 0.17 | Nov 21, 2025 | SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a… | |||
| CVE-2023-6152 | 0.00 | — | 0.01 | Feb 13, 2024 | A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. | |||
| CVE-2023-4399 | 0.00 | — | 0.01 | Oct 17, 2023 | Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used… | |||
| CVE-2023-4822 | 0.00 | — | 0.01 | Oct 16, 2023 | Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer,… | |||
| CVE-2023-3128 | 0.00 | — | 0.04 | Jun 22, 2023 | Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. | |||
| CVE-2023-2183 | 0.00 | — | 0.01 | Jun 6, 2023 | Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API… | |||
| CVE-2023-2801 | 0.00 | — | 0.01 | Jun 6, 2023 | Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at… | |||
| CVE-2023-1387 | 0.00 | — | 0.01 | Apr 26, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration… | |||
| CVE-2023-1410 | 0.00 | — | 0.01 | Mar 23, 2023 | Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An… | |||
| CVE-2022-44643 | 0.00 | — | 0.00 | Dec 21, 2022 | A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector… | |||
| CVE-2022-29170 | 0.00 | — | 0.01 | May 20, 2022 | Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with… | |||
| CVE-2022-24812 | 0.00 | — | 0.02 | Apr 12, 2022 | Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the… | |||
| CVE-2021-28147 | 0.00 | — | 0.02 | Mar 22, 2021 | The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows… | |||
| CVE-2021-28146 | 0.00 | — | 0.01 | Mar 22, 2021 | The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to… |
- risk 0.33cvss —epss 0.00
A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who…
- CVE-2023-0507Mar 1, 2023risk 0.05cvss —epss 0.15
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and…
- CVE-2023-0594Mar 1, 2023risk 0.03cvss —epss 0.09
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not…
- CVE-2025-41117Feb 12, 2026risk 0.00cvss —epss 0.00
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected;…
- CVE-2026-21722Feb 12, 2026risk 0.00cvss —epss 0.00
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did…
- CVE-2025-41115Nov 21, 2025risk 0.00cvss —epss 0.17
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a…
- CVE-2023-6152Feb 13, 2024risk 0.00cvss —epss 0.01
A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.
- CVE-2023-4399Oct 17, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used…
- CVE-2023-4822Oct 16, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer,…
- CVE-2023-3128Jun 22, 2023risk 0.00cvss —epss 0.04
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
- CVE-2023-2183Jun 6, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API…
- CVE-2023-2801Jun 6, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at…
- CVE-2023-1387Apr 26, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration…
- CVE-2023-1410Mar 23, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An…
- CVE-2022-44643Dec 21, 2022risk 0.00cvss —epss 0.00
A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector…
- CVE-2022-29170May 20, 2022risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with…
- CVE-2022-24812Apr 12, 2022risk 0.00cvss —epss 0.02
Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the…
- CVE-2021-28147Mar 22, 2021risk 0.00cvss —epss 0.02
The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows…
- CVE-2021-28146Mar 22, 2021risk 0.00cvss —epss 0.01
The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to…