Grafana Open Redirect in Organization Switching
Medium
| Advisory ID: | CVE-2025-6197 |
| Published: | 2025-07-18 |
| Product: | Grafana |
| CVSS Score: | 4.2 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N |
| Fixed Versions: | >=12.0.2+security-01 >=11.6.3+security-01 >=11.5.6+security-01 >=11.4.6+security-01 >=11.3.8+security-01 |
Summary
An open redirect vulnerability has been identified in Grafana organization switching functionality.
Prerequisites for exploitation:
- Multiple organizations must exist in the Grafana instance
- Victim must be on a different organization than the one specified in the URL
Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01
UPDATE: Thanks to dat2phit_opswat for reporting a bypass of this fix. Versions 12.1.2, 12.0.5, 11.6.6, 11.5.9, 11.4.9 have a fix for this bypass.