Releases198
Frequency1 week 17 hours
Last Release
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, Elasticsearch, OpenTSDB, Prometheus and InfluxDB. **Please Note**: This is an automatically updated package. If you find it is out of date by more than a day or two, please contact the maintainer(s) and let them know [here](https://github.com/mkevenaar/chocolatey-packages/issues) that the package is no longer updating correctly.

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
<= 11.6.14, >= 12.2.0, <= 12.2.8, >= 12.3.0, <= 12.3.6, >= 12.4.0, <= 12.4.3, >= 13.0.0, <= 13.0.17.5 HIGH

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.

= 12.4.07.3 HIGH

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

= 11.6.05.4 MEDIUM

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.

>= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.16.5 MEDIUM

Any Editor could delete any snapshot, even if they have no access to read or write them.

>= 11.6.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.15.9 MEDIUM

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.

>= 11.6.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.16.3 MEDIUM

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

>= 8.0.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.16.5 MEDIUM

Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.

>= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.17.1 HIGH

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

>= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.17.4 HIGH

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.

>= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.16.5 MEDIUM

A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

>= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.14.3 MEDIUM

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

>= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.16.5 MEDIUM

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

= *, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.1, >= 8.0.0, < 11.6.14, >= 12.0.0, < 12.2.86.5 MEDIUM

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.

< 11.6.11, >= 12.0.0, < 12.0.9, >= 12.1.0, < 12.1.6, >= 12.2.0, < 12.2.4, >= 12.3.0, < 12.3.33.3 LOW

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.

>= 8.0.0, <= 12.3.06.5 MEDIUM

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.

< 8.1.0, >= 11.6.14, < 12.0.0, >= 12.1.10, < 12.2.0, >= 12.2.8, < 12.3.0, >= 12.3.6, < 12.4.06.5 MEDIUM

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

< 12.1.0, >= 12.1.10, < 12.2.0, >= 12.2.8, < 12.3.0, >= 12.3.6, < 12.4.07.5 HIGH

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

< 8.0.0, >= 11.6.14, < 12.0.0, >= 12.1.10, < 12.2.0, >= 12.2.8, < 12.3.0, >= 12.3.6, < 12.4.06.5 MEDIUM

A resample query can be used to trigger out-of-memory crashes in Grafana.

< 9.3.0, >= 11.6.14, < 12.0.0, >= 12.1.10, < 12.2.0, >= 12.2.8, < 12.3.0, >= 12.3.6, < 12.4.06.5 MEDIUM

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

< 11.6.0, >= 11.6.14, < 12.0.0, >= 12.1.10, < 12.2.0, >= 12.2.8, < 12.3.0, >= 12.3.6, < 12.4.09.1 CRITICAL

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

>= 11.6.0, < 11.6.14, >= 12.1.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.26.5 MEDIUM

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

>= 11.6.9, < 11.6.14, >= 12.1.5, < 12.1.10, >= 12.2.2, < 12.2.8, >= 12.3.1, < 12.3.65.4 MEDIUM

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

>= 11.0.0, < 12.4.12.6 LOW

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked.

>= 9.3.0, < 11.6.10, >= 12.0.0, < 12.1.6, >= 12.2.0, <= 12.2.4, >= 12.3.0, <= 12.3.2, = 11.6.10, = 12.1.6, = 12.2.4, = 12.3.25.3 MEDIUM

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.

>= 12.2.0, < 12.2.4, >= 12.3.0, < 12.3.2, = 12.2.4, = 12.3.26.8 MEDIUM

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.

>= 10.2.0, < 11.6.9, >= 12.0.0, < 12.0.8, >= 12.1.0, < 12.1.5, >= 12.2.0, < 12.2.3, = 11.6.9, = 12.0.8, = 12.1.5, = 12.2.3, = 12.3.0, = 12.3.18.1 HIGH

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

>= 3.0.0, < 11.6.9, >= 12.0.0, < 12.0.8, >= 12.1.0, < 12.1.5, >= 12.2.0, < 12.2.3, = 12.3.07.5 HIGH

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.

>= 12.0.0, < 12.2.110 CRITICAL

SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true

< 10.4.18, >= 11.2.0, < 11.2.9, >= 11.3.0, < 11.3.6, >= 11.4.0, < 11.4.4, >= 11.5.0, < 11.5.4, >= 11.6.0, < 11.6.1, = 10.4.18, = 11.2.9, = 11.3.6, = 11.4.4, = 11.5.4, = 11.6.1, = 12.0.07.6 HIGH

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

= 10.4.02.2 LOW

Organization admins can delete pending invites created in an organization they are not part of.

= 11.0.09.9 CRITICAL

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

>= 10.0.0, < 10.0.12, >= 10.1.0, < 10.1.8, >= 10.2.0, < 10.2.5, >= 10.3.0, < 10.3.4, >= 8.5.0, < 9.5.76 MEDIUM

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

< 0.6.135 MEDIUM

Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare host with no path (e.g. https://www.example.com/ https://www.example.com/` ), requests to an endpoint other than the one configured by the administrator could be triggered by a specially crafted request from any user, resulting in an SSRF vector. AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

= 10.1.0, = 10.2.0, = 10.3.0, = 10.0.0, <= 2.5.05.4 MEDIUM

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.

>= 10.1.0, < 10.1.5, >= 10.0.0, < 10.0.9, >= 9.5.0, < 9.5.13, >= 9.4.0, < 9.4.176.6 MEDIUM

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode encoding of the characters in the request address.

>= 9.5.0, < 9.5.11, >= 8.0.0, < 9.4.16, >= 10.1.0, < 10.1.3, >= 10.0.0, < 10.0.7, = 10.1.46.7 MEDIUM

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user. The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of.

>= 9.5.0, < 9.5.4, >= 9.4.0, < 9.4.13, >= 9.3.0, < 9.3.16, >= 9.2.0, < 9.2.20, >= 6.7.0, < 8.5.279.4 CRITICAL

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

>= 9.5.0, < 9.5.3, >= 9.4.0, < 9.4.127.5 HIGH

Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.

>= 9.5.0, < 9.5.3, >= 9.4.0, < 9.4.12, >= 9.3.0, < 9.3.15, >= 9.0.0, < 9.2.19, >= 8.0.0, < 8.5.264.1 MEDIUM

Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.

>= 9.4.0, < 9.4.9, >= 9.3.0, < 9.3.13, >= 9.1.0, < 9.2.174.2 MEDIUM

Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.

> 9.3.0, < 9.3.11, >= 9.2.0, < 9.2.15, >= 8.0.0, < 8.5.226.2 MEDIUM

Grafana is an open-source platform for monitoring and observability.  Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.  Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.

>= 9.3.0, < 9.3.4, >= 9.2.0, < 9.2.106.4 MEDIUM

Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on "Markdown" or "HTML" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4.

>= 9.3.0, < 9.3.8, >= 9.2.0, < 9.2.13, >= 7.0.0, < 8.5.217.3 HIGH

Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

>= 9.3.0, < 9.3.8, >= 9.2.0, < 9.2.13, >= 8.1.0, < 8.5.217.3 HIGH

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

>= 9.3.0, < 9.3.4, >= 8.3.1, < 9.2.10, = 8.3.07.1 HIGH

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.

>= 9.0.0, < 9.2.8, < 8.5.166.7 MEDIUM

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.

>= 8.1.0, < 8.5.16, >= 9.0.0, < 9.2.10, >= 9.3.0, < 9.3.47.3 HIGH

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.

>= 9.0.0, < 9.2.4, < 8.5.156.7 MEDIUM

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

>= 9.0.0, < 9.2.4, >= 8.0.0, < 8.5.156.4 MEDIUM

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.

>= 9.2.0, < 9.2.49.8 CRITICAL

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.

>= 9.0.0, < 9.1.8, < 8.5.144.3 MEDIUM

Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`’s email address. This prevents `user_1` logging into the application since `user_1`'s password won’t match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue.

= 5.0.0, >= 9.0.0, < 9.1.8, >= 5.0.1, < 8.5.146.8 MEDIUM

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.

>= 9.0.0, < 9.1.8, < 8.5.144.9 MEDIUM

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.

>= 9.0.0, < 9.1.8, >= 7.0.0, < 8.5.146.1 MEDIUM

Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.

>= 9.1.0, < 9.1.6, >= 9.0.0, < 9.0.9, < 8.5.137.6 HIGH

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.

>= 9.1.0, < 9.1.6, >= 9.0.0, < 9.0.9, < 8.5.136.6 MEDIUM

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/

>= 9.0.0, < 9.0.3, >= 8.5.0, < 8.5.9, >= 8.4.0, < 8.4.10, >= 5.3.0, < 8.3.107.1 HIGH

Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.

>= 9.0.0, < 9.0.3, >= 8.5.0, < 8.5.9, >= 8.4.0, < 8.4.10, >= 8.0.0, < 8.3.107.3 HIGH

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

= 8.4.37.5 HIGH5 MEDIUM

Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability

= 8.4.37.5 HIGH5 MEDIUM

Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd content

>= 8.0.0, < 8.5.3, >= 7.4.0, < 7.5.166.6 MEDIUM4.9 MEDIUM

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds.

>= 1.1.0, < 1.2.1, = 1.3.09.8 CRITICAL7.5 HIGH

The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in microservices mode