Grafana security release: Medium and high severity security fixes for CVE-2025-4123 and CVE-2025-3580

Today we are releasing patches for Grafana 12.0 and all current supported versions. These patch releases contain a fix for CVE-2025-4123, a high severity cross-site scripting (XSS) vulnerability that allows attackers to redirect users to malicious websites. They also contain a fix for CVE-2025-3580, a medium severity vulnerability that stems from the user deletion logic associated with organization administrators.

XSS vulnerability (CVE-2025-4123)

Summary

On April 26, a bug bounty report identified a cross-site scripting (XSS) vulnerability in Grafana caused by client path traversal and open redirect. This allows attackers to redirect users to malicious websites that execute arbitrary JavaScript code through custom frontend plugins. Unlike many other XSS vulnerabilities, this vulnerability does not require editor permissions. If anonymous access is enabled, the XSS will work.

Note: This can be abused as a full read SSRF if the Grafana Image Renderer plugin is installed.

The CVSS score for this vulnerability is 7.6 HIGH.

Grafana Labs customers received patched versions in advance. As always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.

Impact

This XSS vulnerability could enable the redirection of users to external websites and the execution of malicious JavaScript within their browsers. Successful exploitation of this vulnerability might result in session hijacking or complete account takeover.

Impacted versions

This vulnerability impacts Grafana OSS and Grafana Enterprise running on all supported versions of Grafana at this time, and unsupported versions going back to at least Grafana 8.

As a reminder, the following versions are supported as of the date of this blog post:

>= Grafana 11.2
>= Grafana 11.3
>= Grafana 11.4
>= Grafana 11.5
>= Grafana 11.6
>= Grafana 12.0

Grafana Cloud users were not impacted by this vulnerability.

Solutions and mitigations

To fully address CVE-2025-4123, please upgrade your Grafana instances.

If you want an update with only the security fix for CVE-2025-4123, please see our previous security blog post regarding security patch releases for this vulnerability. 

You can also block this attack by adding the default Content Security Policy configuration as suggested in the Grafana docs.

Example:

Copy

content_security_policy = true
content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""

Timeline and post-incident review

Here is a detailed incident timeline starting from when we originally introduced the issue. All times are in UTC.

• 2025-04-26 15:17 - Bug bounty report created
• 2025-04-28 07:33 - Bug bounty report triaged and confirmed as valid
• 2025-04-30 07:22 - Fix created internally
• 2025-05-01 21:22 - Partners and customers contacted
• 2025-05-06 21:24 - Private releases created
• 2025-05-21 12:09 - Discovery that vulnerability was leaked to public
• 2025-05-21 14:13 - Decision made to release security patches one day ahead of schedule
• 2025-05-21 18:00 - Public release for security patches 
• 2025-05-21 21:00 - Blog post published for security patches
• 2025-05-22 22:30 - Public release of regularly scheduled patch releases that include fix for CVE-2025-4123
• 2025-05-23 01:00 - Blog post published for regularly scheduled patch releases that include fix for CVE-2025-4123

Acknowledgements

This vulnerability was discovered by Alvaro Balada who notified us through our bug bounty program.

User deletion issue (CVE-2025-3580)

Summary

On April 15, we discovered a vulnerability that stems from the user deletion logic associated with organization administrators. An organization admin could remove any user from the specific organization they manage. Additionally, they have the power to delete users entirely from the system if they have no other org membership. This leads to two situations:

1. They can delete a server admin if the organization the Organization Admin manages is the server admin’s final organizational membership.
2. They can delete any user (regardless of whether they are a server admin or not) if that user currently belongs to no organizations.

These two situations allow an organization manager to disrupt instance-wide activity by continually deleting server administrators if there is only one organization or if the server administrators are not part of any organization.

The CVSS score for this vulnerability is 5.5 Medium. 

Appropriate patches have been applied to Grafana Cloud. As always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.

Impact

If the only server administrator account is deleted due to this vulnerability, the Grafana instance becomes effectively unmanageable, as there is no remaining account with the necessary server-wide administrative permissions, until direct database access is used to set a user as server administrator.

Impacted versions

Grafana  >= v5.4.0 

Solutions and mitigations

To fully address CVE-2025-3580, please upgrade your Grafana instances.

By default, server administrators are added to every organization they create. As an alternative solution, creating a second organization for server administrators in the instance and adding all server administrators will prevent their removal from the instance.

Timeline and post-incident review

Here is a detailed incident timeline starting from when we originally introduced the issue. All times are in UTC.

• 2025-04-13 15:58 - Bug bounty report created
• 2025-04-14 09:53 - Bug bounty report triaged and confirmed as valid
• 2025-04-15 22:32 - Fixes created internally
• 2025-04-16 08:09 - Partner communications sent out
• 2025-04-28 12:00 - Private fix shared with partners
• 2025-05-21 18:00 - Public release for security patches
• 2025-05-21 21:00 - Blog post published for security patches

Acknowledgements

This vulnerability was discovered by Saket Pandey who notified us through our bug bounty program.

Reporting security issues

If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.

Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.

You can also read more about our bug bounty program and find out who has made our Security Hall of Fame.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.