Authorization vulnerability in /apis allows authenticated users to bypass all dashboard permissions
Issue Details: CVE-2025-3260
Date Published: June 2, 2025
Description:
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact:
- Viewers can view all dashboards/folders regardless of permissions
- Editors can view/edit/delete all dashboards/folders regardless of permissions
- Editors can create dashboards in any folder regardless of permissions
- Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
This vulnerability is present in 11.6.0, and 11.6.1 and fixed in 11.6.1+security-01 and higher.