Public dashboards discloses all direct mode datasources
Medium
| Advisory ID: | CVE-2026-27877 |
| Published: | 2026-03-30 |
| Product: | Grafana |
| CVSS Score: | 6.5 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Fixed Versions: | <9.3.0 >=11.6.14 <12.0.0 >=12.1.10 <12.2.0 >=12.2.8 <12.3.0 >=12.3.6 <12.4.0 >=12.4.2 |
Summary
When using public dashboards and direct data-sources, all direct data-sources’ passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments’ security.