CVSS: 3.3EPSS: 0%CPEs: 5EXPL: 0CVE-2026-21727 – Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
https://notcve.org/view.php?id=CVE-2026-21727
15 Apr 2026 — --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlati... • https://grafana.com/security/security-advisories/cve-2026-21727 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12141 – Grafana Alerting Editors can edit destination of webhooks they did not create
https://notcve.org/view.php?id=CVE-2025-12141
15 Apr 2026 — In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials f... • https://grafana.com/security/security-advisories/cve-2025-12141 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-27879 – Query resampling can cause unbounded memory allocations
https://notcve.org/view.php?id=CVE-2026-27879
27 Mar 2026 — A resample query can be used to trigger out-of-memory crashes in Grafana. • https://grafana.com/security/security-advisories/cve-2026-27879 • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-28375 – Grafana Testdata datasource can issue unbounded memory allocations
https://notcve.org/view.php?id=CVE-2026-28375
27 Mar 2026 — A testdata data-source can be used to trigger out-of-memory crashes in Grafana. • https://grafana.com/security/security-advisories/cve-2026-28375 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-27876 – RCE on Grafana via sqlExpressions
https://notcve.org/view.php?id=CVE-2026-27876
27 Mar 2026 — A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12... • https://grafana.com/security/security-advisories/cve-2026-27876 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-27880 – OpenFeature evaluation API reads input data with no bounds
https://notcve.org/view.php?id=CVE-2026-27880
27 Mar 2026 — The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. • https://grafana.com/security/security-advisories/cve-2026-27880 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-27877 – Public dashboards discloses all direct mode datasources
https://notcve.org/view.php?id=CVE-2026-27877
27 Mar 2026 — When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security. • https://grafana.com/security/security-advisories/cve-2026-27877 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1088 – Very long unicode dashboard title or panel name can hang the frontend
https://notcve.org/view.php?id=CVE-2025-1088
18 Jun 2025 — In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. These are al... • https://grafana.com/security/security-advisories/cve-2025-1088 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2023-6152 – SUSE Security Advisory - SUSE-SU-2025:0545-1
https://notcve.org/view.php?id=CVE-2023-6152
13 Feb 2024 — A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. Un usuario que cambia su correo electrónico después de registrarse y verificarlo puede cambiarlo sin verificación en la configuración del perfil. La opción de configuración "verify_email_enabled" solo validará el correo electrónico al registrarse. This update for grafana and mybatis fixes the following ... • https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f • CWE-863: Incorrect Authorization •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4822 – grafana: incorrect assessment of permissions across organizations
https://notcve.org/view.php?id=CVE-2023-4822
16 Oct 2023 — Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate th... • https://grafana.com/security/security-advisories/cve-2023-4822 • CWE-269: Improper Privilege Management •