Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins | Grafana Labs

Products Open Source Solutions Learn Docs Pricing

Downloads Contact us Sign in

Create free account Contact us

Products

LGTM+ Stack

Logs

powered by Grafana Loki

Grafana

for visualization

Traces

powered by Grafana Tempo

Metrics

powered by Grafana Mimir and Prometheus

Profiles

powered by Grafana Pyroscope

Key Capabilities

AI/ML insights

Identify anomalies and reduce toil

Contextual root cause analysis

Automated anomaly correlation

SLO management

Create SLOs and error budget alerts

Alerting

Trigger alerts from any data source

Plugins

Connect Grafana to data sources, apps, and more

Observability Solutions

Frontend Observability

Gain real user monitoring insights

Application Observability

Monitor application performance

Infrastructure observability

Ensure infrastructure health and performance

Testing

Performance & load testing

powered by Grafana k6

Synthetic Monitoring

powered by Grafana k6

IRM

Grafana IRM

Observability native incident response

Incident

Routine task automation for incidents

OnCall

Flexible on-call management

Deploy The Stack

Grafana Cloud

Fully managed

Grafana Enterprise

Self-managed

Open Source

Grafana Loki

Multi-tenant log aggregation system

Grafana

Query, visualize, and alert on data

Grafana Tempo

High-scale distributed tracing backend

Grafana Mimir

Scalable and performant metrics backend

Grafana Pyroscope

Scalable continuous profiling backend

Grafana Beyla

eBPF auto-instrumentation

Grafana Faro

Frontend application observability web SDK

Grafana Alloy

OpenTelemetry Collector distribution with Prometheus pipelines

Grafana OnCall

On-call management

Grafana k6

Load testing for engineering teams

Prometheus

Monitor Kubernetes and cloud native

OpenTelemetry

Instrument and collect telemetry data

Graphite

Scalable monitoring for time series data

All

Community resources

Dashboard templates

Try out and share prebuilt visualizations

Prometheus exporters

Get your metrics into Prometheus quickly

end-to-end solutions

Opinionated solutions that help you get there easier and faster

Kubernetes Monitoring

Get K8s health, performance, and cost monitoring from cluster to container

Application Observability

Monitor application performance

Frontend Observability

Gain real user monitoring insights

Incident Response & Management

Detect and respond to incidents with a simplified workflow

All monitoring and visualization solutions

monitor infrastructure

Out-of-the-box KPIs, dashboards, and alerts for observability

Microsoft Azure

All monitoring solutions

visualize any data

Instantly connect all your data sources to Grafana

All visualization solutions

Learn

Stay up to date

GrafanaCON 2025: May 6-8

Bring your crew and save up to 20% off

Registration

ObservabilityCON on the Road

Observability roadshow series

Blog

News, releases, cool stories, and more

Observability survey report 2025

Industry insights on the state of observability

New

Benefits of Observability

New research, reports, and insights

New

Story of Grafana

10 years of Grafana

Events

Upcoming in-person and virtual events

Success stories

By use case, product, and industry

Technical learning

Documentation

All the docs

Webinars and videos

Demos, webinars, and feature tours

Tutorials

Step-by-step guides

Workshops

Free, in-person or online

Writers' Toolkit

Contribute to technical documentation provided by Grafana Labs

Plugin development

Visit the Grafana developer portal for tools and resources for extending Grafana with plugins.

new

Professional Services

Expert guidance and training

Join the community

Community

Join the Grafana community

new

Community forums

Ask the community for help

Community Slack

Real-time engagement

Grafana Champions

Contribute to the community

new

Community organizers

Host local meetups

new

LGTM+ Stack

Logs

powered by Grafana Loki

Grafana

for visualization

Traces

powered by Grafana Tempo

Metrics

powered by Grafana Mimir and Prometheus

Profiles

powered by Grafana Pyroscope

Key Capabilities

AI/ML insights

Identify anomalies and reduce toil

Contextual root cause analysis

Automated anomaly correlation

SLO management

Create SLOs and error budget alerts

Alerting

Trigger alerts from any data source

Plugins

Connect Grafana to data sources, apps, and more

Observability Solutions

Frontend Observability

Gain real user monitoring insights

Application Observability

Monitor application performance

Infrastructure observability

Ensure infrastructure health and performance

Testing

Performance & load testing

powered by Grafana k6

Synthetic Monitoring

powered by Grafana k6

IRM

Grafana IRM

Observability native incident response

Incident

Routine task automation for incidents

OnCall

Flexible on-call management

Deploy The Stack

Grafana Cloud

Fully managed

Grafana Enterprise

Self-managed

Grafana Loki

Multi-tenant log aggregation system

Grafana

Query, visualize, and alert on data

Grafana Tempo

High-scale distributed tracing backend

Grafana Mimir

Scalable and performant metrics backend

Grafana Pyroscope

Scalable continuous profiling backend

Grafana Beyla

eBPF auto-instrumentation

Grafana Faro

Frontend application observability web SDK

Grafana Alloy

OpenTelemetry Collector distribution with Prometheus pipelines

Grafana OnCall

On-call management

Grafana k6

Load testing for engineering teams

Prometheus

Monitor Kubernetes and cloud native

OpenTelemetry

Instrument and collect telemetry data

Graphite

Scalable monitoring for time series data

Community resources

Dashboard templates

Try out and share prebuilt visualizations

Prometheus exporters

Get your metrics into Prometheus quickly

end-to-end solutions

Opinionated solutions that help you get there easier and faster

Kubernetes Monitoring

Get K8s health, performance, and cost monitoring from cluster to container

Application Observability

Monitor application performance

Frontend Observability

Gain real user monitoring insights

Incident Response & Management

Detect and respond to incidents with a simplified workflow

monitor infrastructure

Out-of-the-box KPIs, dashboards, and alerts for observability

Microsoft Azure

visualize any data

Instantly connect all your data sources to Grafana

All monitoring and visualization solutions

Stay up to date

GrafanaCON 2025: May 6-8

Bring your crew and save up to 20% off

Registration

ObservabilityCON on the Road

Observability roadshow series

Blog

News, releases, cool stories, and more

Observability survey report 2025

Industry insights on the state of observability

New

Benefits of Observability

New research, reports, and insights

New

Story of Grafana

10 years of Grafana

Events

Upcoming in-person and virtual events

Success stories

By use case, product, and industry

Technical learning

Documentation

All the docs

Webinars and videos

Demos, webinars, and feature tours

Tutorials

Step-by-step guides

Workshops

Free, in-person or online

Writers' Toolkit

Contribute to technical documentation provided by Grafana Labs

Plugin development

Visit the Grafana developer portal for tools and resources for extending Grafana with plugins.

new

Professional Services

Expert guidance and training

Join the community

Community

Join the Grafana community

new

Community forums

Ask the community for help

Community Slack

Real-time engagement

Grafana Champions

Contribute to the community

new

Community organizers

Host local meetups

new

Featured

May 6-8 in Seattle

Join our biggest community event of the year—get a first look at Grafana 12, plus a science fair and sessions on Prometheus, OpenTelemetry, and more. Save 20% with 3+ or 10% when you bring a friend.

Register now →

Issue Details: CVE-2022-39201

Date Published: October 12, 2022

Description:

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user’s Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.