Lucene search
K
GrafanaMost viewed

90 matches found

Grafana
Grafana
added 2024/09/25 12:0 a.m.11 views

Grafana Agent flow mode unquoted service path

On a windows machine, the Grafana Agent Flow mode service prior to version 0.43.1 is vulnerable to a privilege escalation from local user to SYSTEM due to an unquoted service path. It is recommended that you remove the Grafana Agent Flow installation and do a clean install. An update will not...

7.8CVSS5.7AI score0.00264EPSS
Exploits0
Grafana
Grafana
added 2024/02/13 12:0 a.m.11 views

Email verification is not required after email change

Grafana is an open-source platform for monitoring and observability. A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option “verifyemailenabled” will only validate email only on sign up. This issue has been...

5.4CVSS5.7AI score0.01385EPSS
Exploits1
Grafana
Grafana
added 2023/09/19 12:0 a.m.11 views

Google Sheets data source plugin - API key leaks in error messages

The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source. This vulnerabilit...

7.5CVSS7.2AI score0.00389EPSS
Exploits0
Grafana
Grafana
added 2023/06/06 12:0 a.m.11 views

Grafana ds proxy race condition

Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public...

7.5CVSS6.8AI score0.00745EPSS
Exploits0
Grafana
Grafana
added 2023/04/26 12:0 a.m.11 views

JWT URL-login flow leaks token to data sources through request parameter in proxy requests

Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter authtoken and use it as the authentication token. By enabling the “urllogin” configuration option disabled by default, a...

7.5CVSS7.1AI score0.01504EPSS
Exploits1
Grafana
Grafana
added 2022/01/18 12:0 a.m.11 views

Forward OAuth Identity Token can allow users to access some data sources

Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token and no other user credentials will forward the OAuth Identity of the most recently...

4.3CVSS6.7AI score0.02013EPSS
Exploits0
Grafana
Grafana
added 2026/03/30 12:0 a.m.10 views

Query resampling can cause unbounded memory allocations

A resample query can be used to trigger out-of-memory crashes in Grafana...

6.5CVSS5.8AI score0.00376EPSS
Exploits0
Grafana
Grafana
added 2025/11/11 12:0 a.m.10 views

CVE-2025-41116

Grafana is an open-source platform for monitoring and observability. The Grafana-Databricks-Datasource is a plugin allowing Grafana to visualize data from Databricks Enterprise Versions between 1.6.0 and 1.12.0 are vulnerable to a bug when Oauth passthrough is enabled, and multiple users are usin...

2.1CVSS5.8AI score0.00262EPSS
Exploits0
Grafana
Grafana
added 2025/09/19 12:0 a.m.10 views

Regex DoS in Zabbix Plugin in Grafana

Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. Versions 5.2.1 and below contained a ReDoS vulnerability via...

4.3CVSS7.3AI score0.00323EPSS
Exploits0
Grafana
Grafana
added 2025/07/17 12:0 a.m.10 views

Grafana Alerting DingDing Integration URL Exposed to Viewers

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01,...

4.3CVSS6.3AI score0.0089EPSS
Exploits0
Grafana
Grafana
added 2024/11/12 12:0 a.m.10 views

Privilege escalation vulnerability for Organizations in Grafana

A privilege escalation vulnerability allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant. This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana...

5.1CVSS6.6AI score0.00213EPSS
Exploits0
Grafana
Grafana
added 2024/10/28 12:0 a.m.10 views

Org admin can delete pending invites in different org

Organization admins can delete pending invites created in an organization they are not part of...

2.7CVSS6.7AI score0.00496EPSS
Exploits0
Grafana
Grafana
added 2024/09/19 12:0 a.m.10 views

Information Leakage in grafana-plugin-sdk-go

The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running git remote get-url origin . If credentials are included in the repository URI for instance, to allow for fetching of private...

9.1CVSS5.8AI score0.00519EPSS
Exploits0
Grafana
Grafana
added 2024/02/14 12:0 a.m.10 views

SSRF in CSV Datasource Plugin

Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare hos...

5.3CVSS5.8AI score0.00509EPSS
Exploits0
Grafana
Grafana
added 2023/06/08 12:0 a.m.10 views

Grafana WorldMap Panel Plugin DOM XSS

Grafana is an open-source platform for monitoring and observability. The WorldMap panel plugin, versions before 1.0.4 contains a DOM XSS vulnerability...

7.3CVSS5.8AI score0.0045EPSS
Exploits0
Grafana
Grafana
added 2023/01/26 12:0 a.m.10 views

Stored XSS in ResourcePicker component

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren’t properly...

7.3CVSS6.9AI score0.00779EPSS
Exploits0
Grafana
Grafana
added 2022/11/08 12:0 a.m.10 views

Email addresses and usernames can not be trusted

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non...

8.1CVSS7.1AI score0.0074EPSS
Exploits0
Grafana
Grafana
added 2022/10/12 12:0 a.m.10 views

Using email as a username can block other users from signing in

Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user’s login attempt by registering someone else’e email address as a username. A Grafana user’s username and email address are unique fields, th...

4.3CVSS6.8AI score0.0082EPSS
Exploits0
Grafana
Grafana
added 2022/10/12 12:0 a.m.10 views

Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with...

7.5CVSS7.2AI score0.00964EPSS
Exploits0
Grafana
Grafana
added 2022/07/14 12:0 a.m.10 views

Grafana account takeover via OAuth vulnerability

Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of...

7.5CVSS7.1AI score0.02546EPSS
Exploits0
Grafana
Grafana
added 2022/07/14 12:0 a.m.10 views

Stored XSS in Unified Alerting

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate...

8.7CVSS7.1AI score0.68603EPSS
Exploits0
Grafana
Grafana
added 2022/05/19 12:0 a.m.10 views

Grafana datasource network restrictions bypass via HTTP redirects

Grafana is an open-source platform for monitoring and observability. In Grafana, the Request security feature allows list allows to configure Grafana in a way so that the instance does not call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to...

8.5CVSS7.3AI score0.01116EPSS
Exploits0
Grafana
Grafana
added 2023/06/06 12:0 a.m.9 views

Broken Access Control in Alert manager: Viewer can send test alerts

Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access t...

7.5CVSS5.8AI score0.01027EPSS
Exploits1
Grafana
Grafana
added 2023/02/28 12:0 a.m.9 views

Stored XSS in TraceView Panel

Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span’s attributes/resources were not properly sanitized and this...

7.3CVSS6.8AI score0.09216EPSS
Exploits0
Grafana
Grafana
added 2023/01/26 12:0 a.m.9 views

Spoofing originalUrl of snapshots

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the originalUrl parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be...

6.7CVSS6.8AI score0.00828EPSS
Exploits0
Grafana
Grafana
added 2022/10/12 12:0 a.m.9 views

Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain...

7.5CVSS6.9AI score0.01228EPSS
Exploits0
Grafana
Grafana
added 2022/09/20 12:0 a.m.9 views

Grafana folders admin only permission privilege escalation

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafa...

7.6CVSS6.7AI score0.00612EPSS
Exploits0
Grafana
Grafana
added 2022/09/20 12:0 a.m.9 views

Escalation from admin to server admin when auth proxy is used

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All...

6.6CVSS6.9AI score0.01302EPSS
Exploits0
Grafana
Grafana
added 2022/08/30 12:0 a.m.9 views

Grafana Image Renderer leaking files

Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser Chromium/Chrome. An internal security review identified an unauthorized file disclosure vulnerability. It is possible for a malicious user to retrieve unauthorized fil...

8.3CVSS7.2AI score0.00903EPSS
Exploits0
Grafana
Grafana
added 2022/04/12 12:0 a.m.9 views

Grafana fine-grained access control API Key privilege escalation

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructe...

8.8CVSS7.3AI score0.02322EPSS
Exploits0
Grafana
Grafana
added 2022/02/08 12:0 a.m.9 views

Grafana Teams API IDOR

Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. /teams/:teamId will allow an authenticated attacker to view unintended data by querying for the specific team ID,...

4.3CVSS6.8AI score0.01168EPSS
Exploits0
Grafana
Grafana
added 2022/02/08 12:0 a.m.9 views

Grafana proxy XSS

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting XSS attack. The...

6.5CVSS6.8AI score0.02359EPSS
Exploits1
Grafana
Grafana
added 2022/02/08 12:0 a.m.9 views

Grafana Cross Site Request Forgery

Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users for example,...

8.8CVSS6.8AI score0.02236EPSS
Exploits0
Grafana
Grafana
added 2024/05/30 12:0 a.m.8 views

Grafana OnCall Webhook SSRF

Grafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and interfaces that are tailored specifically for engineers. Grafana OnCall, from version 1.1.37 before 1.5.2 are vulnerable to a Server Side Request Forgery SSRF...

9.1CVSS5.8AI score0.00402EPSS
Exploits0
Grafana
Grafana
added 2023/06/22 12:0 a.m.8 views

Grafana authentication bypass using Azure AD OAuth

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app...

9.8CVSS5.8AI score0.04094EPSS
Exploits0
Grafana
Grafana
added 2023/03/22 12:0 a.m.8 views

Stored XSS in Graphite FunctionDescription tooltip

Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have contro...

6.2CVSS6.8AI score0.00962EPSS
Exploits1
Grafana
Grafana
added 2023/02/28 12:0 a.m.8 views

Text panel plugin XSS

Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin “Text”. The stored XSS vulnerability requires several user interactions in order to be...

6.4CVSS6.8AI score0.01562EPSS
Exploits0
Grafana
Grafana
added 2023/02/28 12:0 a.m.8 views

XSS In Geomap Via Attribution

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren’t properly sanitized and allowed arbitrary JavaScript...

7.3CVSS6.9AI score0.1546EPSS
Exploits0
Grafana
Grafana
added 2023/02/01 12:0 a.m.8 views

Use of Cache Containing Sensitive Information

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession . As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the...

8.8CVSS7.2AI score0.01132EPSS
Exploits1
Grafana
Grafana
added 2022/10/12 12:0 a.m.7 views

Plugin signature bypass

Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are...

7.8CVSS6.8AI score0.00249EPSS
Exploits0
Total number of security vulnerabilities90