Cross-dashboard privilege escalation via permission management
High
| Advisory ID: | CVE-2026-21721 |
| Published: | 2026-01-27 |
| Product: | Grafana |
| CVSS Score: | 8.1 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| Fixed Versions: | >=12.3.0 <12.3.1+security-01 >=12.2.0 <12.2.3+security-01 >=12.1.0 <12.1.5+security-01 >=12.0.0 <12.0.8+security-01 >=10.2.0 <11.6.9+security-01 |
Summary
Grafana is an open-source platform for monitoring and observability. The platform supports creating dashboards, which collate various visualisation panels onto one plane. These can have per-user permissions.
If a user has permission management rights on one dashboard, they could edit the permissions of any other dashboard.
This bug was reported via our bug bounty program.