CVSS: 3.3EPSS: 0%CPEs: 5EXPL: 0CVE-2026-21727 – Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
https://notcve.org/view.php?id=CVE-2026-21727
15 Apr 2026 — --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlati... • https://grafana.com/security/security-advisories/cve-2026-21727 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12141 – Grafana Alerting Editors can edit destination of webhooks they did not create
https://notcve.org/view.php?id=CVE-2025-12141
15 Apr 2026 — In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials f... • https://grafana.com/security/security-advisories/cve-2025-12141 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-27879 – Query resampling can cause unbounded memory allocations
https://notcve.org/view.php?id=CVE-2026-27879
27 Mar 2026 — A resample query can be used to trigger out-of-memory crashes in Grafana. • https://grafana.com/security/security-advisories/cve-2026-27879 • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-28375 – Grafana Testdata datasource can issue unbounded memory allocations
https://notcve.org/view.php?id=CVE-2026-28375
27 Mar 2026 — A testdata data-source can be used to trigger out-of-memory crashes in Grafana. • https://grafana.com/security/security-advisories/cve-2026-28375 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-27876 – RCE on Grafana via sqlExpressions
https://notcve.org/view.php?id=CVE-2026-27876
27 Mar 2026 — A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12... • https://grafana.com/security/security-advisories/cve-2026-27876 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-27880 – OpenFeature evaluation API reads input data with no bounds
https://notcve.org/view.php?id=CVE-2026-27880
27 Mar 2026 — The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. • https://grafana.com/security/security-advisories/cve-2026-27880 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-27877 – Public dashboards discloses all direct mode datasources
https://notcve.org/view.php?id=CVE-2026-27877
27 Mar 2026 — When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security. • https://grafana.com/security/security-advisories/cve-2026-27877 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-33375 – Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS
https://notcve.org/view.php?id=CVE-2026-33375
26 Mar 2026 — The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container. El plugin de fuente de datos de Grafana MSSQL contiene un fallo lógico que permite a un usuario con pocos privilegios (Visor) eludir las restricciones de la API y desencadenar un agotamiento catastrófico de la memoria por Out-Of-Memory (OOM), lo que provoca la caída del contenedor anfitr... • https://grafana.com/security/security-advisories/cve-2026-33375 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 2.6EPSS: 0%CPEs: 1EXPL: 0CVE-2026-21725 – Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name
https://notcve.org/view.php?id=CVE-2026-21725
25 Feb 2026 — A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource ... • https://grafana.com/security/security-advisories/cve-2026-21725 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 4.2EPSS: 1%CPEs: 5EXPL: 0CVE-2025-6197 – SUSE Security Advisory - SUSE-SU-2025:4482-1
https://notcve.org/view.php?id=CVE-2025-6197
18 Jul 2025 — An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL Se ha identificado una vulnerabilidad de redirección abierta en la funcionalidad de cambio de organización de Grafana OSS. Requisitos para su explotación: - Deben existir varias organizaciones en la instancia de Grafana. - La víctima deb... • https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •