CVE History
| CVE | Affected | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|---|
| <= 11.6.14, >= 12.2.0, <= 12.2.8, >= 12.3.0, <= 12.3.6, >= 12.4.0, <= 12.4.3, >= 13.0.0, <= 13.0.1 | 7.5 HIGH | — | ||
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability. | ||||
| = 12.4.0 | 7.3 HIGH | — | ||
The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix | ||||
| = 11.6.0 | 5.4 MEDIUM | — | ||
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies. | ||||
| >= 8.0.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.1 | 6.5 MEDIUM | — | ||
Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server. | ||||
| >= 11.6.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1 | 5.9 MEDIUM | — | ||
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this. | ||||
| >= 11.6.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1 | 6.3 MEDIUM | — | ||
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable. | ||||
| >= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.1 | 7.1 HIGH | — | ||
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege. | ||||
| >= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.1 | 7.4 HIGH | — | ||
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here. | ||||
| >= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.1 | 6.5 MEDIUM | — | ||
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service. | ||||
| >= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.1 | 6.5 MEDIUM | — | ||
Any Editor could delete any snapshot, even if they have no access to read or write them. | ||||
| = *, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.1, >= 8.0.0, < 11.6.14, >= 12.0.0, < 12.2.8 | 6.5 MEDIUM | — | ||
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue. | ||||
| >= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.1 | 4.3 MEDIUM | — | ||
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations. | ||||
| >= 8.5.0, < 11.6.14, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, = 11.6.14, = 12.2.8, = 12.3.6, = 12.4.3, = 13.0.0, = 13.0.1 | 6.5 MEDIUM | — | ||
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server. | ||||
| < 11.6.11, >= 12.0.0, < 12.0.9, >= 12.1.0, < 12.1.6, >= 12.2.0, < 12.2.4, >= 12.3.0, < 12.3.3 | 3.3 LOW | — | ||
--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability. | ||||
| >= 8.0.0, <= 12.3.0 | 6.5 MEDIUM | — | ||
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations. | ||||
| < 12.1.0, >= 12.1.10, < 12.2.0, >= 12.2.8, < 12.3.0, >= 12.3.6, < 12.4.0 | 7.5 HIGH | — | ||
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. | ||||
| < 8.1.0, >= 11.6.14, < 12.0.0, >= 12.1.10, < 12.2.0, >= 12.2.8, < 12.3.0, >= 12.3.6, < 12.4.0 | 6.5 MEDIUM | — | ||
A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | ||||
| < 8.0.0, >= 11.6.14, < 12.0.0, >= 12.1.10, < 12.2.0, >= 12.2.8, < 12.3.0, >= 12.3.6, < 12.4.0 | 6.5 MEDIUM | — | ||
A resample query can be used to trigger out-of-memory crashes in Grafana. | ||||
| < 9.3.0, >= 11.6.14, < 12.0.0, >= 12.1.10, < 12.2.0, >= 12.2.8, < 12.3.0, >= 12.3.6, < 12.4.0 | 6.5 MEDIUM | — | ||
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security. | ||||
| < 11.6.0, >= 11.6.14, < 12.0.0, >= 12.1.10, < 12.2.0, >= 12.2.8, < 12.3.0, >= 12.3.6, < 12.4.0 | 9.1 CRITICAL | — | ||
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected. | ||||
| >= 11.6.0, < 11.6.14, >= 12.1.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2 | 6.5 MEDIUM | — | ||
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container. | ||||
| >= 11.6.9, < 11.6.14, >= 12.1.5, < 12.1.10, >= 12.2.2, < 12.2.8, >= 12.3.1, < 12.3.6 | 5.4 MEDIUM | — | ||
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission. | ||||
| >= 11.0.0, < 12.4.1 | 2.6 LOW | — | ||
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked. | ||||
| >= 9.3.0, < 11.6.10, >= 12.0.0, < 12.1.6, >= 12.2.0, <= 12.2.4, >= 12.3.0, <= 12.3.2, = 11.6.10, = 12.1.6, = 12.2.4, = 12.3.2 | 5.3 MEDIUM | — | ||
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard. | ||||
| >= 12.2.0, < 12.2.4, >= 12.3.0, < 12.3.2, = 12.2.4, = 12.3.2 | 6.8 MEDIUM | — | ||
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever. | ||||
| >= 10.2.0, < 11.6.9, >= 12.0.0, < 12.0.8, >= 12.1.0, < 12.1.5, >= 12.2.0, < 12.2.3, = 11.6.9, = 12.0.8, = 12.1.5, = 12.2.3, = 12.3.0, = 12.3.1 | 8.1 HIGH | — | ||
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation. | ||||
| >= 3.0.0, < 11.6.9, >= 12.0.0, < 12.0.8, >= 12.1.0, < 12.1.5, >= 12.2.0, < 12.2.3, = 12.3.0 | 7.5 HIGH | — | ||
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems. | ||||