CVE-2025-3260
openSUSE Security Advisory - openSUSE-SU-2025:15225-1
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
These are all security issues fixed in the govulncheck-vulndb-0.0.20250612T141001-1.1 package on the GA media of openSUSE Tumbleweed.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2025-04-04 CVE Reserved
- 2025-06-02 CVE Published
- 2026-02-26 CVE Updated
- 2026-03-29 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-863: Incorrect Authorization
CAPEC
- CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
References (1)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 11.6.0 < 11.6.1+security-01 Search vendor "Grafana" for product "Grafana" and version " >= 11.6.0 < 11.6.1+security-01" | en |
Affected
| ||||||