CVE-2026-21727

A flaw was found in Grafana. This cross-tenant isolation vulnerability affects legacy correlation records, specifically those created prior to Grafana 10.2. A user with datasource management privileges can exploit a backward compatibility condition, which allows records with an organization ID...

CVE-2026-21727

Technical details for CVE-2026-21727 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-21727 Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: " Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvssscore: "3.3" cvssvector:...

Cross-Tenant Legacy Correlation Disclosure and Deletion

A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing orgid = 0 records to be returned across organizations, a user with datasource management privileges could read and permanentl...