CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2026-21724 – Missing Protected-field Authorization in Provisioning Contact Points API
https://notcve.org/view.php?id=CVE-2026-21724
26 Mar 2026 — A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission. Se ha descubierto una vulnerabilidad en Grafana OSS donde una omisión de autorización en la API de puntos de contacto de aprovisionamiento permite a los usuarios con rol de Editor modificar URLs de webhook protegidas sin el permiso requerido alert.no... • https://grafana.com/security/security-advisories/cve-2026-21724 • CWE-285: Improper Authorization •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9476 – Privilege escalation vulnerability for Organizations in Grafana
https://notcve.org/view.php?id=CVE-2024-9476
13 Nov 2024 — A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance. These are all security issues fixed in the grafana-11.3.2-1.1 package on the GA media of openSUSE Tumbleweed. • https://grafana.com/blog/2024/11/12/grafana-security-release-medium-severity-security-fix-for-cve-2024-9476 • CWE-266: Incorrect Privilege Assignment •