CVSS: 3.3EPSS: 0%CPEs: 5EXPL: 0CVE-2026-21727 – Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
https://notcve.org/view.php?id=CVE-2026-21727
15 Apr 2026 — --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlati... • https://grafana.com/security/security-advisories/cve-2026-21727 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12141 – Grafana Alerting Editors can edit destination of webhooks they did not create
https://notcve.org/view.php?id=CVE-2025-12141
15 Apr 2026 — In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials f... • https://grafana.com/security/security-advisories/cve-2025-12141 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-27879 – Query resampling can cause unbounded memory allocations
https://notcve.org/view.php?id=CVE-2026-27879
27 Mar 2026 — A resample query can be used to trigger out-of-memory crashes in Grafana. • https://grafana.com/security/security-advisories/cve-2026-27879 • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-28375 – Grafana Testdata datasource can issue unbounded memory allocations
https://notcve.org/view.php?id=CVE-2026-28375
27 Mar 2026 — A testdata data-source can be used to trigger out-of-memory crashes in Grafana. • https://grafana.com/security/security-advisories/cve-2026-28375 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-27876 – RCE on Grafana via sqlExpressions
https://notcve.org/view.php?id=CVE-2026-27876
27 Mar 2026 — A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12... • https://grafana.com/security/security-advisories/cve-2026-27876 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-27880 – OpenFeature evaluation API reads input data with no bounds
https://notcve.org/view.php?id=CVE-2026-27880
27 Mar 2026 — The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. • https://grafana.com/security/security-advisories/cve-2026-27880 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-27877 – Public dashboards discloses all direct mode datasources
https://notcve.org/view.php?id=CVE-2026-27877
27 Mar 2026 — When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security. • https://grafana.com/security/security-advisories/cve-2026-27877 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-3415 – openSUSE Security Advisory - openSUSE-SU-2025:15226-1
https://notcve.org/view.php?id=CVE-2025-3415
05 Jul 2025 — Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 These are all security issues fixed in the grafana-11.6.3-1.1 package on the GA media of openSUSE Tumbleweed. • https://grafana.com/security/security-advisories/cve-2025-3415 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1088 – Very long unicode dashboard title or panel name can hang the frontend
https://notcve.org/view.php?id=CVE-2025-1088
18 Jun 2025 — In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. These are al... • https://grafana.com/security/security-advisories/cve-2025-1088 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-3580 – SUSE Security Advisory - SUSE-SU-2025:01989-1
https://notcve.org/view.php?id=CVE-2025-3580
23 May 2025 — An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server ... • https://grafana.com/security/security-advisories/cve-2025-3580 • CWE-284: Improper Access Control •