OPENSUSE-SU-2026:10601-1 - Vulnerability-Lookup

OPENSUSE-SU-2026:10601-1

Vulnerability from csaf_opensuse - Published: 2026-04-22 00:00 - Updated: 2026-04-22 00:00

Summary

grafana-11.6.14+security01-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: grafana-11.6.14+security01-1.1 on GA media

Description of the patch: These are all security issues fixed in the grafana-11.6.14+security01-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10601

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2026-21720

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-21721

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-21722

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-21724

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-21725

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-26958

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-27876

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-27877

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-27879

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-28375

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-33186

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-33375

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-21720/	self
	https://www.suse.com/security/cve/CVE-2026-21721/	self
	https://www.suse.com/security/cve/CVE-2026-21722/	self
	https://www.suse.com/security/cve/CVE-2026-21724/	self
	https://www.suse.com/security/cve/CVE-2026-21725/	self
	https://www.suse.com/security/cve/CVE-2026-26958/	self
	https://www.suse.com/security/cve/CVE-2026-27876/	self
	https://www.suse.com/security/cve/CVE-2026-27877/	self
	https://www.suse.com/security/cve/CVE-2026-27879/	self
	https://www.suse.com/security/cve/CVE-2026-28375/	self
	https://www.suse.com/security/cve/CVE-2026-33186/	self
	https://www.suse.com/security/cve/CVE-2026-33375/	self
	https://www.suse.com/security/cve/CVE-2026-21720	external
	https://bugzilla.suse.com/1257349	external
	https://www.suse.com/security/cve/CVE-2026-21721	external
	https://bugzilla.suse.com/1257337	external
	https://www.suse.com/security/cve/CVE-2026-21722	external
	https://bugzilla.suse.com/1258136	external
	https://www.suse.com/security/cve/CVE-2026-21724	external
	https://bugzilla.suse.com/1260878	external
	https://www.suse.com/security/cve/CVE-2026-21725	external
	https://bugzilla.suse.com/1258873	external
	https://www.suse.com/security/cve/CVE-2026-26958	external
	https://bugzilla.suse.com/1258570	external
	https://www.suse.com/security/cve/CVE-2026-27876	external
	https://bugzilla.suse.com/1261025	external
	https://www.suse.com/security/cve/CVE-2026-27877	external
	https://bugzilla.suse.com/1261026	external
	https://www.suse.com/security/cve/CVE-2026-27879	external
	https://bugzilla.suse.com/1261027	external
	https://www.suse.com/security/cve/CVE-2026-28375	external
	https://bugzilla.suse.com/1261029	external
	https://www.suse.com/security/cve/CVE-2026-33186	external
	https://bugzilla.suse.com/1260085	external
	https://www.suse.com/security/cve/CVE-2026-33375	external
	https://bugzilla.suse.com/1260881	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "grafana-11.6.14+security01-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the grafana-11.6.14+security01-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10601",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10601-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21720 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21720/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21721 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21721/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21722 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21722/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21724 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21724/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21725 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21725/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-26958 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-26958/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27876 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27876/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27877 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27877/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27879 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27879/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-28375 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-28375/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33186 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33186/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33375 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33375/"
      }
    ],
    "title": "grafana-11.6.14+security01-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-04-22T00:00:00Z",
      "generator": {
        "date": "2026-04-22T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10601-1",
      "initial_release_date": "2026-04-22T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-04-22T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-11.6.14+security01-1.1.aarch64",
                "product": {
                  "name": "grafana-11.6.14+security01-1.1.aarch64",
                  "product_id": "grafana-11.6.14+security01-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-11.6.14+security01-1.1.ppc64le",
                "product": {
                  "name": "grafana-11.6.14+security01-1.1.ppc64le",
                  "product_id": "grafana-11.6.14+security01-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-11.6.14+security01-1.1.s390x",
                "product": {
                  "name": "grafana-11.6.14+security01-1.1.s390x",
                  "product_id": "grafana-11.6.14+security01-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-11.6.14+security01-1.1.x86_64",
                "product": {
                  "name": "grafana-11.6.14+security01-1.1.x86_64",
                  "product_id": "grafana-11.6.14+security01-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.6.14+security01-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64"
        },
        "product_reference": "grafana-11.6.14+security01-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.6.14+security01-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le"
        },
        "product_reference": "grafana-11.6.14+security01-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.6.14+security01-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x"
        },
        "product_reference": "grafana-11.6.14+security01-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.6.14+security01-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        },
        "product_reference": "grafana-11.6.14+security01-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-21720",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21720"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21720",
          "url": "https://www.suse.com/security/cve/CVE-2026-21720"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257349 for CVE-2026-21720",
          "url": "https://bugzilla.suse.com/1257349"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-21720"
    },
    {
      "cve": "CVE-2026-21721",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21721"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization-internal privilege escalation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21721",
          "url": "https://www.suse.com/security/cve/CVE-2026-21721"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257337 for CVE-2026-21721",
          "url": "https://bugzilla.suse.com/1257337"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-21721"
    },
    {
      "cve": "CVE-2026-21722",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21722"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21722",
          "url": "https://www.suse.com/security/cve/CVE-2026-21722"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1258136 for CVE-2026-21722",
          "url": "https://bugzilla.suse.com/1258136"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-21722"
    },
    {
      "cve": "CVE-2026-21724",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21724"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21724",
          "url": "https://www.suse.com/security/cve/CVE-2026-21724"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260878 for CVE-2026-21724",
          "url": "https://bugzilla.suse.com/1260878"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-21724"
    },
    {
      "cve": "CVE-2026-21725",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21725"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.\n\nThis requires several very stringent conditions to be met:\n\n- The attacker must have admin access to the specific datasource prior to its first deletion.\n- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.\n- The attacker must delete the datasource, then someone must recreate it.\n- The new datasource must not have the attacker as an admin.\n- The new datasource must have the same UID as the prior datasource. These are randomised by default.\n- The datasource can now be re-deleted by the attacker.\n- Once 30 seconds are up, the attack is spent and cannot be repeated.\n- No datasource with any other UID can be attacked.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21725",
          "url": "https://www.suse.com/security/cve/CVE-2026-21725"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1258873 for CVE-2026-21725",
          "url": "https://bugzilla.suse.com/1258873"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2026-21725"
    },
    {
      "cve": "CVE-2026-26958",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-26958"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-26958",
          "url": "https://www.suse.com/security/cve/CVE-2026-26958"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1258570 for CVE-2026-26958",
          "url": "https://bugzilla.suse.com/1258570"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-26958"
    },
    {
      "cve": "CVE-2026-27876",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27876"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable.\n\nOnly instances in the following version ranges are affected:\n\n- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.\n- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.\n- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.\n- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.\n- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27876",
          "url": "https://www.suse.com/security/cve/CVE-2026-27876"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261025 for CVE-2026-27876",
          "url": "https://bugzilla.suse.com/1261025"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2026-27876"
    },
    {
      "cve": "CVE-2026-27877",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27877"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27877",
          "url": "https://www.suse.com/security/cve/CVE-2026-27877"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261026 for CVE-2026-27877",
          "url": "https://bugzilla.suse.com/1261026"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-27877"
    },
    {
      "cve": "CVE-2026-27879",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27879"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A resample query can be used to trigger out-of-memory crashes in Grafana.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27879",
          "url": "https://www.suse.com/security/cve/CVE-2026-27879"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261027 for CVE-2026-27879",
          "url": "https://bugzilla.suse.com/1261027"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-27879"
    },
    {
      "cve": "CVE-2026-28375",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-28375"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-28375",
          "url": "https://www.suse.com/security/cve/CVE-2026-28375"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261029 for CVE-2026-28375",
          "url": "https://bugzilla.suse.com/1261029"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-28375"
    },
    {
      "cve": "CVE-2026-33186",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33186"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33186",
          "url": "https://www.suse.com/security/cve/CVE-2026-33186"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260085 for CVE-2026-33186",
          "url": "https://bugzilla.suse.com/1260085"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-33186"
    },
    {
      "cve": "CVE-2026-33375",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33375"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
          "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33375",
          "url": "https://www.suse.com/security/cve/CVE-2026-33375"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260881 for CVE-2026-33375",
          "url": "https://bugzilla.suse.com/1260881"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
            "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-22T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-33375"
    }
  ]
}

CVE-2026-27877 (GCVE-0-2026-27877)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:02 – Updated: 2026-04-15 19:25

Title

Public dashboards discloses all direct mode datasources

Summary

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Assigner

GRAFANA

References

URL

Tags

https://grafana.com/security/security-advisories/…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Grafana	Grafana	Affected: 9.3.0 , < 11.6.14 (semver) Affected: 12.0.0 , < 12.1.10 (semver) Affected: 12.2.0 , < 12.2.8 (semver) Affected: 12.3.0 , < 12.3.6 (semver) Affected: 12.4.0 , < 12.4.2 (semver)

Date Public ?

2026-03-27 13:59

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27877",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T14:56:26.128138Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T14:56:34.782Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "broken-link"
            ],
            "url": "https://grafana.com/security/security-advisories/cve-2026-27877"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "OnPrem",
            "Cloud"
          ],
          "product": "Grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.14",
              "status": "affected",
              "version": "9.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.1.10",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.2.8",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.3.6",
              "status": "affected",
              "version": "12.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.2",
              "status": "affected",
              "version": "12.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-03-27T13:59:46.831Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T19:25:08.510Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-27877"
        }
      ],
      "source": {
        "discovery": "BUG_BOUNTY"
      },
      "title": "Public dashboards discloses all direct mode datasources",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-27877",
    "datePublished": "2026-03-27T14:02:11.889Z",
    "dateReserved": "2026-02-24T14:30:17.726Z",
    "dateUpdated": "2026-04-15T19:25:08.510Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21722 (GCVE-0-2026-21722)

Vulnerability from cvelistv5 – Published: 2026-02-12 08:49 – Updated: 2026-04-15 19:25

Title

Public Dashboards time range restriction on annotations can be bypassed

Summary

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-863 - Incorrect Authorization

Assigner

GRAFANA

References

URL

Tags

https://grafana.com/security/security-advisories/…

vendor-advisory

Impacted products

Vendor

Product

Version

grafana/grafana

Affected: 9.3.0 , < 11.6.10+security-01 (semver)
Affected: 12.0.0 , < 12.1.6+security-01 (semver)
Affected: 12.2.0 , < 12.2.4+security-01 (semver)
Affected: 12.3.0 , < 12.3.2+security-01 (semver)

grafana/grafana-enterprise

Affected: 9.3.0 , < 11.6.10+security-01 (semver)
Affected: 12.0.0 , < 12.1.6+security-01 (semver)
Affected: 12.2.0 , < 12.2.4+security-01 (semver)
Affected: 12.3.0 , < 12.3.2+security-01 (semver)

Date Public ?

2026-02-12 07:13

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21722",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-12T14:24:06.337064Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-863",
                "description": "CWE-863 Incorrect Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-27T14:01:13.177Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.10+security-01",
              "status": "affected",
              "version": "9.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.1.6+security-01",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.2.4+security-01",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.3.2+security-01",
              "status": "affected",
              "version": "12.3.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.10+security-01",
              "status": "affected",
              "version": "9.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.1.6+security-01",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.2.4+security-01",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.3.2+security-01",
              "status": "affected",
              "version": "12.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-02-12T07:13:06.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T19:25:06.746Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-21722"
        }
      ],
      "source": {
        "discovery": "BUG_BOUNTY"
      },
      "title": "Public Dashboards time range restriction on annotations can be bypassed",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-21722",
    "datePublished": "2026-02-12T08:49:05.678Z",
    "dateReserved": "2026-01-05T09:26:06.214Z",
    "dateUpdated": "2026-04-15T19:25:06.746Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33186 (GCVE-0-2026-33186)

Vulnerability from cvelistv5 – Published: 2026-03-20 22:23 – Updated: 2026-03-24 18:09

Title

gRPC-Go has an authorization bypass via missing leading slash in :path

Summary

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-285 - Improper Authorization

Assigner

GitHub_M

References

URL

Tags

https://github.com/grpc/grpc-go/security/advisori…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	grpc	grpc-go	Affected: < 1.79.3

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33186",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T18:08:38.989284Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T18:09:13.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grpc-go",
          "vendor": "grpc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.79.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T22:23:32.147Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
        }
      ],
      "source": {
        "advisory": "GHSA-p77j-4mvh-x3m3",
        "discovery": "UNKNOWN"
      },
      "title": "gRPC-Go has an authorization bypass via missing leading slash in :path"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33186",
    "datePublished": "2026-03-20T22:23:32.147Z",
    "dateReserved": "2026-03-17T22:16:36.720Z",
    "dateUpdated": "2026-03-24T18:09:13.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27876 (GCVE-0-2026-27876)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:24 – Updated: 2026-04-15 19:25

Title

RCE on Grafana via sqlExpressions

Summary

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GRAFANA

References

URL

Tags

https://grafana.com/security/security-advisories/…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Grafana	Grafana	Affected: 11.6.0 , < 11.6.14 (semver) Affected: 12.0.0 , < 12.1.10 (semver) Affected: 12.2.0 , < 12.2.8 (semver) Affected: 12.3.0 , < 12.3.6 (semver) Affected: 12.4.0 , < 12.4.2 (semver)

Date Public ?

2026-03-27 14:21

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27876",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-94",
                "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-28T03:55:48.690Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "OnPrem",
            "Cloud"
          ],
          "product": "Grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.14",
              "status": "affected",
              "version": "11.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.1.10",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.2.8",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.3.6",
              "status": "affected",
              "version": "12.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.2",
              "status": "affected",
              "version": "12.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-03-27T14:21:53.858Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable.\n\nOnly instances in the following version ranges are affected:\n\n- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.\n- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.\n- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.\n- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.\n- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T19:25:05.649Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-27876"
        }
      ],
      "source": {
        "discovery": "BUG_BOUNTY"
      },
      "title": "RCE on Grafana via sqlExpressions",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-27876",
    "datePublished": "2026-03-27T14:24:36.771Z",
    "dateReserved": "2026-02-24T14:30:17.726Z",
    "dateUpdated": "2026-04-15T19:25:05.649Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28375 (GCVE-0-2026-28375)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:26 – Updated: 2026-04-15 19:25

Title

Grafana Testdata datasource can issue unbounded memory allocations

Summary

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GRAFANA

References

URL

Tags

https://grafana.com/security/security-advisories/…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Grafana	Grafana	Affected: 8.1.0 , < 11.6.14 (semver) Affected: 12.0.0 , < 12.1.10 (semver) Affected: 12.2.0 , < 12.2.8 (semver) Affected: 12.3.0 , < 12.3.6 (semver) Affected: 12.4.0 , < 12.4.2 (semver)

Date Public ?

2026-03-27 14:23

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28375",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T15:00:57.773116Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T15:01:14.243Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "OnPrem"
          ],
          "product": "Grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.14",
              "status": "affected",
              "version": "8.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.1.10",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.2.8",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.3.6",
              "status": "affected",
              "version": "12.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.2",
              "status": "affected",
              "version": "12.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-03-27T14:23:47.094Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T19:25:05.269Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-28375"
        }
      ],
      "source": {
        "discovery": "INTERNAL_FINDING"
      },
      "title": "Grafana Testdata datasource can issue unbounded memory allocations",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-28375",
    "datePublished": "2026-03-27T14:26:19.270Z",
    "dateReserved": "2026-02-27T07:16:12.218Z",
    "dateUpdated": "2026-04-15T19:25:05.269Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33375 (GCVE-0-2026-33375)

Vulnerability from cvelistv5 – Published: 2026-03-26 20:05 – Updated: 2026-04-15 19:25

Title

Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS

Summary

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GRAFANA

References

URL

Tags

https://grafana.com/security/security-advisories/…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Grafana	Grafana OSS	Affected: 11.6.0 , < 11.6.14+security-01 (semver) Affected: 12.1.0 , < 12.1.10+security-01 (semver) Affected: 12.2.0 , < 12.2.8+security-01 (semver) Affected: 12.3.0 , < 12.3.6+security-01 (semver) Affected: 12.4.0 , < 12.4.2 (semver)

Date Public ?

2026-03-26 12:52

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33375",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T14:39:23.654250Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T14:40:37.122Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "OnPrem"
          ],
          "product": "Grafana OSS",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.14+security-01",
              "status": "affected",
              "version": "11.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.1.10+security-01",
              "status": "affected",
              "version": "12.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.2.8+security-01",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.3.6+security-01",
              "status": "affected",
              "version": "12.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.2",
              "status": "affected",
              "version": "12.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-03-26T12:52:32.117Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T19:25:09.166Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-33375"
        }
      ],
      "source": {
        "discovery": "BUG_BOUNTY"
      },
      "title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-33375",
    "datePublished": "2026-03-26T20:05:52.564Z",
    "dateReserved": "2026-03-19T07:55:06.977Z",
    "dateUpdated": "2026-04-15T19:25:09.166Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27879 (GCVE-0-2026-27879)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:28 – Updated: 2026-04-15 19:25

Title

Query resampling can cause unbounded memory allocations

Summary

A resample query can be used to trigger out-of-memory crashes in Grafana.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GRAFANA

References

URL

Tags

https://grafana.com/security/security-advisories/…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Grafana	Grafana	Affected: 8.0.0 , < 11.6.14 (semver) Affected: 12.0.0 , < 12.1.10 (semver) Affected: 12.2.0 , < 12.2.8 (semver) Affected: 12.3.0 , < 12.3.6 (semver) Affected: 12.4.0 , < 12.4.2 (semver)

Date Public ?

2026-03-27 14:26

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27879",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T15:02:56.347770Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T15:02:59.478Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Cloud",
            "OnPrem"
          ],
          "product": "Grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.14",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.1.10",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.2.8",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.3.6",
              "status": "affected",
              "version": "12.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.2",
              "status": "affected",
              "version": "12.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-03-27T14:26:32.584Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A resample query can be used to trigger out-of-memory crashes in Grafana."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T19:25:07.791Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-27879"
        }
      ],
      "source": {
        "discovery": "INTERNAL_FINDING"
      },
      "title": "Query resampling can cause unbounded memory allocations",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-27879",
    "datePublished": "2026-03-27T14:28:56.133Z",
    "dateReserved": "2026-02-24T14:30:17.727Z",
    "dateUpdated": "2026-04-15T19:25:07.791Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21724 (GCVE-0-2026-21724)

Vulnerability from cvelistv5 – Published: 2026-03-26 20:06 – Updated: 2026-04-15 19:25

Title

Missing Protected-field Authorization in Provisioning Contact Points API

Summary

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-285 - Improper Authorization

Assigner

GRAFANA

References

URL

Tags

https://grafana.com/security/security-advisories/…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Grafana	Grafana OSS	Affected: 12.3.1 , < 12.3.6 (semver) Affected: 12.2.2 , < 12.2.8 (semver) Affected: 12.1.5 , < 12.1.10 (semver) Affected: 11.6.9 , < 11.6.14 (semver)

Date Public ?

2026-03-25 22:00

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21724",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T13:42:43.732342Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-285",
                "description": "CWE-285 Improper Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T13:56:12.761Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "OnPrem"
          ],
          "product": "Grafana OSS",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.3.6",
              "status": "affected",
              "version": "12.3.1",
              "versionType": "semver"
            },
            {
              "lessThan": "12.2.8",
              "status": "affected",
              "version": "12.2.2",
              "versionType": "semver"
            },
            {
              "lessThan": "12.1.10",
              "status": "affected",
              "version": "12.1.5",
              "versionType": "semver"
            },
            {
              "lessThan": "11.6.14",
              "status": "affected",
              "version": "11.6.9",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-03-25T22:00:37.352Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T19:25:06.401Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-21724"
        }
      ],
      "source": {
        "discovery": "BUG_BOUNTY"
      },
      "title": "Missing Protected-field Authorization in Provisioning Contact Points API",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-21724",
    "datePublished": "2026-03-26T20:06:18.829Z",
    "dateReserved": "2026-01-05T09:26:06.214Z",
    "dateUpdated": "2026-04-15T19:25:06.401Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21721 (GCVE-0-2026-21721)

Vulnerability from cvelistv5 – Published: 2026-01-27 09:07 – Updated: 2026-04-15 19:25

Title

Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation

Summary

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-863 - Incorrect Authorization

Assigner

GRAFANA

References

URL

Tags

https://grafana.com/security/security-advisories/…

vendor-advisory

Impacted products

Vendor

Product

Version

grafana/grafana

Affected: 12.3.0 , < 12.3.1 (semver)

	Grafana	grafana/grafana	Affected: 12.2.0 , < 12.2.3 (semver)
	Grafana	grafana/grafana	Affected: 12.1.0 , < 12.1.5 (semver)
	Grafana	grafana/grafana	Affected: 12.0.0 , < 12.0.8 (semver)
	Grafana	grafana/grafana	Affected: 10.2.0 , < 11.6.9 (semver)
	Grafana	grafana/grafana-enterprise	Affected: 10.2.0 , < 11.6.9 (semver)
	Grafana	grafana/grafana-enterprise	Affected: 12.0.0 , < 12.0.8 (semver)
	Grafana	grafana/grafana-enterprise	Affected: 12.1.0 , < 12.1.5 (semver)
	Grafana	grafana/grafana-enterprise	Affected: 12.2.0 , < 12.2.3 (semver)
	Grafana	grafana/grafana-enterprise	Affected: 12.3.0 , < 12.3.1 (semver)

Date Public ?

2026-01-27 09:05

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21721",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T04:55:19.556498Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-863",
                "description": "CWE-863 Incorrect Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T21:45:54.908Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.3.1",
              "status": "affected",
              "version": "12.3.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.2.3",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.1.5",
              "status": "affected",
              "version": "12.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.0.8",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.9",
              "status": "affected",
              "version": "10.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.9",
              "status": "affected",
              "version": "10.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.0.8",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.1.5",
              "status": "affected",
              "version": "12.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.2.3",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.3.1",
              "status": "affected",
              "version": "12.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-01-27T09:05:28.422Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "type": "text/markdown",
              "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
            }
          ],
          "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T19:25:09.512Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-21721"
        }
      ],
      "source": {
        "discovery": "BUG_BOUNTY"
      },
      "title": "Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-21721",
    "datePublished": "2026-01-27T09:07:55.160Z",
    "dateReserved": "2026-01-05T09:26:06.214Z",
    "dateUpdated": "2026-04-15T19:25:09.512Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26958 (GCVE-0-2026-26958)

Vulnerability from cvelistv5 – Published: 2026-02-19 23:01 – Updated: 2026-02-20 15:39

Title

filippo.io/edwards25519 MultiScalarMult function produces invalid results or undefined behavior if receiver is not the identity

Summary

filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.

Severity ?

1.7 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

CWE

CWE-665 - Improper Initialization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/FiloSottile/edwards25519/secur…	x_refsource_CONFIRM
	https://github.com/FiloSottile/edwards25519/commi…	x_refsource_MISC
	https://github.com/FiloSottile/edwards25519/relea…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	FiloSottile	filippo.io/edwards25519	Affected: < 1.1.1

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26958",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T15:27:08.887006Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T15:39:04.748Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "filippo.io/edwards25519",
          "vendor": "FiloSottile",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 1.7,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-665",
              "description": "CWE-665: Improper Initialization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-19T23:01:26.923Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr"
        },
        {
          "name": "https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb"
        },
        {
          "name": "https://github.com/FiloSottile/edwards25519/releases/tag/v1.1.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FiloSottile/edwards25519/releases/tag/v1.1.1"
        }
      ],
      "source": {
        "advisory": "GHSA-fw7p-63qq-7hpr",
        "discovery": "UNKNOWN"
      },
      "title": "filippo.io/edwards25519 MultiScalarMult function produces invalid results or undefined behavior if receiver is not the identity"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26958",
    "datePublished": "2026-02-19T23:01:26.923Z",
    "dateReserved": "2026-02-16T22:20:28.611Z",
    "dateUpdated": "2026-02-20T15:39:04.748Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21720 (GCVE-0-2026-21720)

Vulnerability from cvelistv5 – Published: 2026-01-27 09:07 – Updated: 2026-04-15 19:25

Title

Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out

Summary

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption
CWE-703 - Improper Check or Handling of Exceptional Conditions

Assigner

GRAFANA

References

URL

Tags

https://grafana.com/security/security-advisories/…

vendor-advisory

Impacted products

Vendor

Product

Version

grafana/grafana-enterprise

Affected: 3.0.0 , < 11.6.9 (semver)

	Grafana	grafana/grafana-enterprise	Affected: 3.0.0 , < 12.0.8 (semver)
	Grafana	grafana/grafana-enterprise	Affected: 3.0.0 , < 12.1.5 (semver)
	Grafana	grafana/grafana	Affected: 3.0.0 , < 11.6.9 (semver)
	Grafana	grafana/grafana	Affected: 3.0.0 , < 12.0.8 (semver)
	Grafana	grafana/grafana	Affected: 3.0.0 , < 12.1.5 (semver)
	Grafana	grafana/grafana-enterprise	Affected: 3.0.0 , < 12.2.3 (semver)
	Grafana	grafana/grafana	Affected: 3.0.0 , < 12.2.3 (semver)
	Grafana	grafana/grafana-enterprise	Affected: 3.0.0 , < 12.3.1 (semver)
	Grafana	grafana/grafana	Affected: 3.0.0 , < 12.3.1 (semver)

Date Public ?

2026-01-27 09:03

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21720",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-27T14:28:02.795937Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-703",
                "description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-27T14:29:08.671Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.9",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.0.8",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.1.5",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.9",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.0.8",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.1.5",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.2.3",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.2.3",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.3.1",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.3.1",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-01-27T09:03:09.893Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "type": "text/markdown",
              "value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
            }
          ],
          "value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T19:25:07.460Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-21720"
        }
      ],
      "source": {
        "discovery": "BUG_BOUNTY"
      },
      "title": "Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-21720",
    "datePublished": "2026-01-27T09:07:04.758Z",
    "dateReserved": "2026-01-05T09:26:06.214Z",
    "dateUpdated": "2026-04-15T19:25:07.460Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21725 (GCVE-0-2026-21725)

Vulnerability from cvelistv5 – Published: 2026-02-25 12:35 – Updated: 2026-04-15 19:25

Title

Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name

Summary

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked.

Severity ?

2.6 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

Assigner

GRAFANA

References

URL

Tags

https://grafana.com/security/security-advisories/…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Grafana	Grafana	Affected: v11.0.0 , < v12.4.1 (semver)

Date Public ?

2026-02-25 08:21

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21725",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T15:13:32.666615Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T15:13:57.618Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "OnPrem"
          ],
          "product": "Grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "v12.4.1",
              "status": "affected",
              "version": "v11.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-02-25T08:21:23.844Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.\n\nThis requires several very stringent conditions to be met:\n\n- The attacker must have admin access to the specific datasource prior to its first deletion.\n- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.\n- The attacker must delete the datasource, then someone must recreate it.\n- The new datasource must not have the attacker as an admin.\n- The new datasource must have the same UID as the prior datasource. These are randomised by default.\n- The datasource can now be re-deleted by the attacker.\n- Once 30 seconds are up, the attack is spent and cannot be repeated.\n- No datasource with any other UID can be attacked."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T19:25:04.909Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-21725"
        }
      ],
      "source": {
        "discovery": "BUG_BOUNTY"
      },
      "title": "Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-21725",
    "datePublished": "2026-02-25T12:35:43.104Z",
    "dateReserved": "2026-01-05T09:26:06.214Z",
    "dateUpdated": "2026-04-15T19:25:04.909Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.