Lucene search
+L
GrafanaMost viewed

90 matches found

grafana
grafana
added 2026/03/30 12:0 a.m.51 views

Grafana Testdata datasource can issue unbounded memory allocations

A testdata data-source can be used to trigger out-of-memory crashes in Grafana...

6.5CVSS5.8AI score0.00376EPSS
Exploits0
grafana
grafana
added 2026/01/27 12:0 a.m.35 views

Unauthenticated DoS in avatar cache in Grafana

Grafana is an open-source platform for monitoring and observability. The platform supports users having their own avatars, which can be sourced from the Gravatar service API. This uses a cache, to ensure that we don’t overload the service. If these requests time out after 3 seconds, a Goroutine i...

7.5CVSS5.8AI score0.00618EPSS
Exploits0
grafana
grafana
added 2026/05/13 12:0 a.m.30 views

Grafana plugin resources can lead to unbounded memory allocation

A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service...

6.5CVSS5.8AI score0.00328EPSS
Exploits0
grafana
grafana
added 2026/05/13 12:0 a.m.23 views

BAC in Snapshot API allows deletion of unauthorized dashboard snapshots

Any Editor could delete any snapshot, even if they have no access to read or write them...

6.5CVSS5.8AI score0.00227EPSS
Exploits0
grafana
grafana
added 2026/03/30 12:0 a.m.23 views

OpenFeature evaluation API reads input data with no bounds

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes...

7.5CVSS6AI score0.00772EPSS
Exploits0
grafana
grafana
added 2026/02/12 12:0 a.m.19 views

XSS in Grafana Explore stack trace

Stack traces in Grafana’s Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo ...

6.8CVSS5.8AI score0.00239EPSS
Exploits0
grafana
grafana
added 2025/08/04 12:0 a.m.19 views

SSRF in Infinity Datasource Plugin

Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints. If the plugin was configured to allow only certain URLs, an attacker could bypass this...

6.1CVSS6AI score0.0029EPSS
Exploits0
grafana
grafana
added 2024/03/26 12:0 a.m.19 views

Users outside an organization can delete a snapshot with its key

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit ...

6.5CVSS5.8AI score0.00646EPSS
Exploits0
grafana
grafana
added 2025/12/16 12:0 a.m.18 views

Information Leakage in Grafana Alerting

In Grafana’s alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role “Contact Point Writer”, which is part of the basic role Editor - can edit...

6.5CVSS5.8AI score0.00255EPSS
Exploits0
grafana
grafana
added 2022/10/12 12:0 a.m.17 views

Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with...

7.5CVSS7.2AI score0.00964EPSS
Exploits0
grafana
grafana
added 2026/03/30 12:0 a.m.16 views

RCE on Grafana via sqlExpressions

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact RCE. This is enabled by a feature in Grafana OSS, so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the...

9.1CVSS6.6AI score0.01929EPSS
Exploits0
grafana
grafana
added 2024/09/26 12:0 a.m.16 views

Grafana alerting wrong permission on datasource rule write endpoint

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules. This vulnerability first appeared in Grafana v8.5.0, and is fixed in v11.2.1, v11.1.6, v11.0.5, v10.4.9, and v10.3.10...

5.1CVSS5.8AI score0.00583EPSS
Exploits0
grafana
grafana
added 2026/05/13 12:0 a.m.15 views

Users can generate Service Account tokens after permissions removal

When a user’s access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

5.9CVSS5.8AI score0.00245EPSS
Exploits0
grafana
grafana
added 2026/02/25 12:0 a.m.15 views

Authorization bypass in Grafana datasource deletion

A time-of-create-to-time-of-use TOCTOU vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: The attacker must have admin access to the specific datasource prior to its first deletion...

2.6CVSS5.8AI score0.00175EPSS
Exploits0
grafana
grafana
added 2025/11/19 12:0 a.m.15 views

Incorrect privilege assignment

SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user...

10CVSS6AI score0.17653EPSS
Exploits1
grafana
grafana
added 2025/07/18 12:0 a.m.15 views

Grafana Cross-Site-Scripting (XSS) via scripted dashboards

An open redirect vulnerability has been identified in Grafana that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01,...

7.6CVSS6.4AI score0.37565EPSS
Exploits0
grafana
grafana
added 2024/02/14 12:0 a.m.15 views

Improper Path Sanitization in JSON Datasource Plugin

Grafana is an open-source platform for monitoring and observability. The JSON datasource plugin is a Grafana Labs maintained plugin that allows for retrieving and processing JSON data from a remote endpoint including a specific sub-path configured by an administrator. Due to inadequate sanitizati...

8CVSS5.9AI score0.0077EPSS
Exploits0
grafana
grafana
added 2026/02/12 12:0 a.m.14 views

Public Dashboards time range restriction on annotations can be bypassed

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any...

5.3CVSS5.8AI score0.00327EPSS
Exploits0
grafana
grafana
added 2026/01/27 12:0 a.m.14 views

Cross-dashboard privilege escalation via permission management

Grafana is an open-source platform for monitoring and observability. The platform supports creating dashboards, which collate various visualisation panels onto one plane. These can have per-user permissions. If a user has permission management rights on one dashboard, they could edit the...

8.1CVSS7.2AI score0.00647EPSS
Exploits1
grafana
grafana
added 2025/11/11 12:0 a.m.14 views

CVE-2025-3717

Grafana is an open-source platform for monitoring and observability. The Grafana-Snowflake-Datasource is a plugin allowing Grafana to visualize data from Snowflake Versions between 1.5.0 and 1.14.0 are vulnerable to a bug when Oauth passthrough is enabled, and multiple users are using the same...

2.1CVSS5.8AI score0.00262EPSS
Exploits0
grafana
grafana
added 2025/10/09 12:0 a.m.14 views

Arbitrary Code Execution in Grafana Image Renderer Plugin

Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then load...

9.9CVSS6.5AI score0.00594EPSS
Exploits0
grafana
grafana
added 2025/06/02 12:0 a.m.14 views

Authorization Bypass in Datasource Proxy

This vulnerability in Grafana’s datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily...

5CVSS6.6AI score0.00414EPSS
Exploits0
grafana
grafana
added 2024/09/25 12:0 a.m.14 views

Grafana Alloy unquoted service path

On a windows machine, the Grafana Alloy service prior to 1.3.3 is vulnerable to a privilege escalation from local user to SYSTEM due to an unquoted service path. It is recommended that you remove the Grafana Alloy installation and do a clean install. An update will not resolve the issue. An...

7.8CVSS5.7AI score0.003EPSS
Exploits0
grafana
grafana
added 2024/03/07 12:0 a.m.14 views

User with permissions to create a data source can CRUD all data sources

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to . Doing this will grant the user access to read, query, edit and delete all data sources within the organization. Impacted Versions: 8.5.0 9.5.7 10.0.0 10.0.12 10.1.0 10.1.8 10.2.0 10.2...

8.8CVSS5.8AI score0.00802EPSS
Exploits0
grafana
grafana
added 2026/05/13 12:0 a.m.13 views

Viewer-triggered race condition in Grafana Live leads to complete server crash

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server...

6.5CVSS5.8AI score0.00262EPSS
Exploits0
grafana
grafana
added 2026/05/13 12:0 a.m.13 views

Auth Proxy IPv6 whitelist bypass

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask usually /128 to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here...

7.4CVSS5.8AI score0.00271EPSS
Exploits0
grafana
grafana
added 2026/03/25 12:0 a.m.13 views

Missing Protected-field Authorization in Provisioning Contact Points API

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission...

5.4CVSS5.7AI score0.00238EPSS
Exploits0
grafana
grafana
added 2026/03/25 12:0 a.m.13 views

Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user Viewer to bypass API restrictions and trigger a catastrophic Out-Of-Memory OOM memory exhaustion, crashing the host container. Thanks to khanmarshal for reporting this vulnerability to us via our bug boun...

6.5CVSS5.8AI score0.00434EPSS
Exploits0
grafana
grafana
added 2026/01/26 12:0 a.m.13 views

Grafana Loki Path Traversal - CVE-2021-36156 Bypass

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

5.3CVSS6AI score0.01489EPSS
Exploits0
grafana
grafana
added 2026/01/02 12:0 a.m.13 views

Exposure of Storage Secret in Pyroscope

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage COS. If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secretkey configuration value from the...

9.1CVSS5.8AI score0.00406EPSS
Exploits0
grafana
grafana
added 2025/07/18 12:0 a.m.13 views

Grafana Open Redirect in Organization Switching

An open redirect vulnerability has been identified in Grafana organization switching functionality. Prerequisites for exploitation: Multiple organizations must exist in the Grafana instance Victim must be on a different organization than the one specified in the URL Fixed in versions...

4.2CVSS7.2AI score0.03711EPSS
Exploits0
grafana
grafana
added 2025/06/17 12:0 a.m.13 views

Very long unicode dashboard title can hang the frontend

In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. Credits: Jinay Patel and Shrey Shah for...

2.7CVSS5.9AI score0.00394EPSS
Exploits0
grafana
grafana
added 2025/05/22 12:0 a.m.13 views

Organization admin can delete server admin in Grafana

An access control vulnerability was discovered in Grafana where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: An Organization administrator exists...

5.5CVSS6.9AI score0.00378EPSS
Exploits0
grafana
grafana
added 2025/04/23 12:0 a.m.13 views

XSS in Grafana XY Chart Plugin

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. This vulnerability first appeared in Grafana v11.1.0, and is fixed in 11.6.0+security-01, 11.5.3+security-01,...

6.8CVSS6.8AI score0.13697EPSS
Exploits0
grafana
grafana
added 2024/07/23 12:0 a.m.13 views

Grafana plugins route actions are not scoped to instance

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query...

5.4CVSS5.8AI score0.00305EPSS
Exploits0
grafana
grafana
added 2024/02/14 12:0 a.m.13 views

SSRF in CSV Datasource Plugin

Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare hos...

5.3CVSS5.8AI score0.00509EPSS
Exploits0
grafana
grafana
added 2022/11/08 12:0 a.m.13 views

User enumeration via forget password

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks...

6.7CVSS6.7AI score0.00696EPSS
Exploits0
grafana
grafana
added 2026/05/13 12:0 a.m.12 views

IDOR in Annotations API allows unprivileged users to DELETE annotation

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations...

4.3CVSS5.8AI score0.00198EPSS
Exploits0
grafana
grafana
added 2026/05/13 12:0 a.m.12 views

SQL Expressions Read File From Disk

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server’s filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable...

6.3CVSS6AI score0.00262EPSS
Exploits0
grafana
grafana
added 2026/05/13 12:0 a.m.12 views

Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro

Using the $timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server...

6.5CVSS5.8AI score0.00328EPSS
Exploits0
grafana
grafana
added 2026/03/30 12:0 a.m.12 views

Public dashboards discloses all direct mode datasources

When using public dashboards and direct data-sources, all direct data-sources’ passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve...

7.5CVSS5.8AI score0.00298EPSS
Exploits0
grafana
grafana
added 2026/01/29 12:0 a.m.12 views

Cross-Tenant Legacy Correlation Disclosure and Deletion

A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing orgid = 0 records to be returned across organizations, a user with datasource management privileges could read and permanentl...

3.3CVSS5.7AI score0.00204EPSS
Exploits0
grafana
grafana
added 2025/11/11 12:0 a.m.12 views

CVE-2025-41116

Grafana is an open-source platform for monitoring and observability. The Grafana-Databricks-Datasource is a plugin allowing Grafana to visualize data from Databricks Enterprise Versions between 1.6.0 and 1.12.0 are vulnerable to a bug when Oauth passthrough is enabled, and multiple users are usin...

2.1CVSS5.8AI score0.00262EPSS
Exploits0
grafana
grafana
added 2025/06/02 12:0 a.m.12 views

Authorization vulnerability in /apis allows authenticated users to bypass all dashboard permissions

A security vulnerability in the /apis/dashboard.grafana.app/ endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions v0alpha1, v1alpha1, v2alpha1. Impact: Viewers can view all dashboards/folders regardless of permissions Editors...

8.3CVSS7.3AI score0.00501EPSS
Exploits0
grafana
grafana
added 2025/05/21 12:0 a.m.12 views

Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin

A cross-site scripting XSS vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permission...

7.6CVSS7.4AI score0.97999EPSS
Exploits6
grafana
grafana
added 2024/10/17 12:0 a.m.12 views

Grafana SQL Expressions allow for remote code execution

The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb , leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or high...

9.9CVSS6.8AI score0.97781EPSS
Exploits10
grafana
grafana
added 2024/09/25 12:0 a.m.12 views

Grafana Agent flow mode unquoted service path

On a windows machine, the Grafana Agent Flow mode service prior to version 0.43.1 is vulnerable to a privilege escalation from local user to SYSTEM due to an unquoted service path. It is recommended that you remove the Grafana Agent Flow installation and do a clean install. An update will not...

7.8CVSS5.7AI score0.00264EPSS
Exploits0
grafana
grafana
added 2023/10/12 12:0 a.m.12 views

Grafana datasource network restrictions bypass

Grafana is an open-source platform for monitoring and observability. In Grafana, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode encoding of the characters in...

7.2CVSS7.1AI score0.01082EPSS
Exploits0
grafana
grafana
added 2023/10/12 12:0 a.m.12 views

Grafana org admins can modify permissions across all orgs

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor...

7.2CVSS6.9AI score0.01074EPSS
Exploits0
grafana
grafana
added 2023/09/19 12:0 a.m.12 views

Google Sheets data source plugin - API key leaks in error messages

The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source. This vulnerabilit...

7.5CVSS7.2AI score0.00389EPSS
Exploits0
Total number of security vulnerabilities90