CVE-2026-21722

Published Feb 12, 2026

Last updated a month ago

CVSS medium 5.3
IDOR
WCFM Marketplace

Overview

Description
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.
Source
security@grafana.com
NVD status
Modified
Products
grafana

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

nvd@nist.gov
CWE-200
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-863

Social media

Hype score
Not currently trending

  1. Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-41117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits in the open-source repo. That’s at least 1 hour early. PoCs and more at h

    @spaceraccoonsec

    11 Feb 2026

    9552 Impressions

    23 Retweets

    188 Likes

    84 Bookmarks

    0 Replies

    0 Quotes

  2. Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-41117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits in the open-source repo. That’s at least 1 hour head start. PoCs and more

    @spaceraccoonsec

    11 Feb 2026

    881 Impressions

    0 Retweets

    15 Likes

    2 Bookmarks

    1 Reply

    1 Quote

  3. Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-4117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits in the open-source repo. That’s at least 1 hour head start. PoCs and more

    @spaceraccoonsec

    11 Feb 2026

    842 Impressions

    1 Retweet

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-4117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits and pull requests in the open-source repo. PoCs and more at https://t.co/v6P

    @spaceraccoonsec

    11 Feb 2026

    63 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked.CVE-2026-21725
  2. Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.CVE-2025-41117
  3. Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.CVE-2026-21720
  4. SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to trueCVE-2025-41115
  5. A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.CVE-2025-4123

References

Sources include official advisories and independent security research.