Grafana security release: Medium and high severity fixes for CVE-2025-6197 and CVE-2025-6023

Today we are releasing security patches for Grafana 12.0.x, 11.6.x, 11.5.x, 11.4.x, and 11.3.x. These security releases contain a fix for CVE-2025-6023, a high severity cross-site scripting (XSS) vulnerability and CVE-2025-6197, a medium severity open redirect vulnerability.

• Download Grafana 12.0.2+security-01
• Download Grafana 11.6.3+security-01
• Download Grafana 11.5.6+security-01
• Download Grafana 11.4.6+security-01
• Download Grafana 11.3.8+security-01

As per our security policy, Grafana Labs customers have received security patched versions in advance under embargo, and Grafana Cloud has been patched seamlessly. As always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.

Both of the vulnerabilities below were identified through our bug bounty program. 

XSS via client path traversal and open redirect  (CVE-2025-6023)

Summary

On June 11, a bug bounty report identified a cross-site scripting (XSS) vulnerability in Grafana caused by client path traversal and open redirect. This allows attackers to redirect users to malicious websites that execute arbitrary JavaScript code in scripted dashboards. Unlike many other XSS vulnerabilities, this vulnerability does not require editor permissions. If anonymous access is enabled, the XSS will work.

The CVSS score for this vulnerability is 7.6 (High).

Grafana Cloud users were affected by this XSS since the Content-Security-Policy does not include a connect-src directive, which is needed to stop an attacker from fetching external JavaScript. An attacker does not need access to the Grafana instance in order to craft a payload, but the victim needs to be authenticated and needs at least Viewer permissions in order to execute arbitrary JavaScript. 

This CVE tracks both the open redirect, and the path traversal in the scripted dashboards functionality that leads to XSS instead of separating them to downgrade their score individually.

Impact

This XSS vulnerability could enable the redirection of users to external websites and the execution of malicious JavaScript within their browsers. Successful exploitation of this vulnerability might result in session hijacking or complete account takeover.

Impacted versions

>= Grafana 11.5.0

Solutions and mitigations

To fully address CVE-2025-6023, please upgrade your Grafana instances.

The alternative is that you can block this attack by adding the default Content Security Policy configuration as suggested in the Grafana documentation.

Example:

Copy

content_security_policy = true
content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""

Timeline and post-incident review

All times are in UTC

• 2025-06-11 12:15 - Bug bounty report created
• 2025-06-11 12:33 - Bug bounty report triaged and confirmed as valid. 
• 2025-06-13 09:10 - Fix created internally
• 2025-06-18 09:29 - Partners contacted
• 2025-06-26 16:16 - Private releases created 
• 2025-07-17 22:30 - Public release
• 2025-07-18 01:30 - Blog post published

Acknowledgements

This vulnerability was discovered by Hoa X. Nguyen from OPSWAT, who notified us through our bug bounty program.

Open redirect via organization switching (CVE-2025-6197)

Summary

On June 17, a bug bounty report identified an open redirect vulnerability in Grafana caused by the organization switching functionality. In order to make this exploitable, the Grafana instance must have more than one organization and the user being redirected needs to be a member of both instances that are being switched. Furthermore, the attacker needs to know the ID of the organization that the user is currently viewing.

The CVSS score for this vulnerability is 4.2 (Medium).

Grafana Cloud is not affected by this vulnerability since it does not support Organizations. 

Impact

This vulnerability allows attackers to redirect users to malicious websites. This open redirect could be abused to achieve XSS, similar to CVE-2025-6023 (above) and CVE-2025-4123.

Impacted versions

>= Grafana 11.5.0

Solutions and mitigations

To fully address CVE-2025-6197, please upgrade your Grafana instances. 

If upgrading is not possible, you can block Grafana URLs starting with

Copy

`/\`(`%2F%5C`)

in ingress. Alternatively, you can make sure there’s only one organization available in the Grafana instance.   

Timeline and post-incident review

All time are in UTC

• 2025-06-17 08:55 - Bug bounty report created
• 2025-06-17 09:21 - Bug bounty report triaged and confirmed as valid 
• 2025-06-25 16:33 - Fix created internally
• 2025-07-03 01:36 - Private releases created for both CVE-2025-6197 and CVE-2025-6023
• 2025-07-17 22:30 - Public release
• 2025-07-18 01:30 - Blog post published

Acknowledgements

This vulnerability was discovered by Dat Phung, who notified us through our bug bounty program.

Reporting security issues

If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.

Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.

You can also read more about our bug bounty program and have a look at our Security Hall of Fame.

 Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.