Cross-Tenant Legacy Correlation Disclosure and Deletion
Low
| Advisory ID: | CVE-2026-21727 |
| Published: | 2026-01-29 |
| Product: | Grafana |
| CVSS Score: | 3.3 |
| CVSS Vector: | CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N |
| Fixed Versions: | >=12.3.3 >=12.2.4 <12.3.0 >=12.1.6 <12.2.0 >=12.0.9 <12.1.0 >=11.6.11 <12.0.0 |
Summary
A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization.
Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.