Grafana

A vulnerability in Grafana allows authenticated users to read arbitrary files from the server when the SQL Expressions feature is enabled.

A vulnerability in Grafana allows authenticated users to consume unlimited memory through special requests to plugin endpoints, potentially crashing the server and causing service disruption.

affects: ≥8.5.0 <11.6.14; ≥12.2.0 <12.2.8; ≥12.3.0 <12.3.6; ≥12.4.0 <12.4.3; =11.6.14; =12.2.8; =12.3.6; =12.4.3 · v11.6.14+security-04 not affected

A vulnerability in Grafana Live allows authenticated users with Viewer permissions to crash the server through concurrent requests, causing complete service outage until restart.

affects: ≥8.5.0 <11.6.14; ≥12.2.0 <12.2.8; ≥12.3.0 <12.3.6; ≥12.4.0 <12.4.3; =11.6.14; =12.2.8; =12.3.6; =12.4.3 · v11.6.14+security-04 not affected

A vulnerability in Grafana's Live push feature allows authenticated users to cause unlimited memory consumption by sending large amounts of data, potentially leading to system crashes.

affects: ≥8.0.0 <11.6.14; ≥12.0.0 <12.2.8; ≥12.3.0 <12.3.6; ≥12.4.0 <12.4.3; =11.6.14; =12.2.8; =12.3.6; =12.4.3 · v11.6.14+security-04 not affected

A vulnerability in Grafana's Correlations feature allows users with datasource management privileges to view and permanently delete legacy correlation data belonging to other organizations, bypassing tenant isolation.

affects: <11.6.11; ≥12.0.0 <12.0.9; ≥12.1.0 <12.1.6; ≥12.2.0 <12.2.4; ≥12.3.0 <12.3.3 · v11.6.14+security-04 not affected

In Grafana's notification system, users with edit permissions can modify endpoint URLs of other users' contact points and capture confidential credentials like Slack tokens through the test function, enabling unauthorized access to external services.

affects: ≥8.0.0 ≤12.3.0 · your v11.6.14+security-04 affected

A vulnerability in Grafana's test data source can be exploited to cause memory issues that crash the application.

affects: <8.1.0; ≥11.6.14 <12.0.0; ≥12.1.10 <12.2.0; ≥12.2.8 <12.3.0; ≥12.3.6 <12.4.0 · your v11.6.14+security-04 affected

A vulnerability in Grafana allows attackers to cause system crashes by overwhelming memory through specially crafted resample queries, leading to denial of service.

affects: <8.0.0; ≥11.6.14 <12.0.0; ≥12.1.10 <12.2.0; ≥12.2.8 <12.3.0; ≥12.3.6 <12.4.0 · your v11.6.14+security-04 affected

A vulnerability in Grafana allows attackers to execute arbitrary code on the server through a combination of SQL expressions and Enterprise plugins. Only instances with the sqlExpressions feature enabled in specific versions between 11.6.0 and 12.4.1 are affected.

affects: <11.6.0; ≥11.6.14 <12.0.0; ≥12.1.10 <12.2.0; ≥12.2.8 <12.3.0; ≥12.3.6 <12.4.0 · your v11.6.14+security-04 affected

A vulnerability in Grafana Tempo exposes the S3 encryption key in plain text through a status endpoint, allowing unauthorized individuals to access the key used for encrypted trace data.

A vulnerability in Grafana's MSSQL plugin allows low-privileged users to bypass security restrictions and crash the server by causing excessive memory consumption.

affects: ≥11.6.0 <11.6.14; ≥12.1.0 <12.1.10; ≥12.2.0 <12.2.8; ≥12.3.0 <12.3.6; ≥12.4.0 <12.4.2 · v11.6.14+security-04 not affected

A vulnerability in Grafana allows users with Editor role to modify protected webhook URLs despite lacking the required permissions for such changes.

affects: ≥11.6.9 <11.6.14; ≥12.1.5 <12.1.10; ≥12.2.2 <12.2.8; ≥12.3.1 <12.3.6 · v11.6.14+security-04 not affected

A security vulnerability in the Grafana Cubism panel plugin allows attackers with editor privileges to inject malicious JavaScript code that executes when other users interact with the panel.

affects: ≤0.1.2 · v11.6.14+security-04 not affected

A vulnerability in Grafana allows attackers to delete data sources without permission if they were previously deleted and then recreated. This requires very specific conditions to be met and only works within a 30-second window.

affects: ≥11.0.0 <12.4.1 · your v11.6.14+security-04 affected

A vulnerability in Grafana's Explore Traces view allows attackers to inject malicious JavaScript code through stack traces, which then executes in the browser. Only data sources using Jaeger HTTP API are affected.

affects: ≥12.2.0 <12.2.4; ≥12.3.0 <12.3.2; =12.2.4; =12.3.2 · v11.6.14+security-04 not affected

A critical security vulnerability in Grafana allows attackers to access and delete dashboard snapshots without authentication by using specific URL paths.

A vulnerability in Grafana allows attackers to execute malicious JavaScript code through specially crafted URLs when users are unauthenticated and visit certain pages.

A vulnerability in Grafana allowed organization administrators to manage user roles in other organizations where they had no authority. This only affected installations with the fine-grained access control beta feature enabled and multiple organizations present.

Grafana versions 8.0.0-beta1 through 8.3.0 contain a path traversal vulnerability that allows attackers to access local server files through specific plugin URLs.

Grafana applications between versions 5.0.0 and 8.3.1 contain a security vulnerability that allows authenticated users to read certain markdown files through directory traversal attacks.

Grafana contains a security vulnerability that allows authenticated users to read arbitrary CSV files through directory traversal, but only when the TestData DB data source is enabled.

A flaw in Grafana allows API token holders to access data they shouldn't have permission for by forwarding the OAuth identity of the most recently logged-in user.

Grafana versions up to 8.3.4 contain a Cross-Site Scripting vulnerability where attackers can inject malicious HTML code through compromised data sources or plugins. Authenticated users could be tricked into executing malicious code through specially crafted links.

Grafana dashboards are vulnerable to Cross-Site Request Forgery attacks where attackers can trick authenticated users into granting them high privileges. All versions from 3.0-beta1 onwards are affected, allowing privilege escalation by deceiving administrators.

Grafana versions from 5.0.0-beta1 onwards have a vulnerability in the Teams API that allows authenticated attackers to access team data they should not have permission to view.

A vulnerability in Grafana Enterprise allows attackers to gain elevated privileges when the fine-grained access control beta feature is enabled and multiple API keys with different roles are used.

Grafana Enterprise has a vulnerability that allows attackers to bypass network restrictions for data sources by using HTTP redirects to access servers that should be blocked.

Grafana versions 8.0 and later contain a stored Cross-Site Scripting vulnerability in the Unified Alerting feature. Attackers can exploit this to escalate their privileges from Editor to Admin by tricking authenticated administrators into clicking a malicious link.

A vulnerability in Grafana's OAuth authentication allows malicious users to take over existing user accounts. All Grafana versions from 5.3 onwards are affected and should be updated immediately.

A vulnerability in Grafana allows attackers to bypass plugin signature verification and install malicious plugins even when unsigned plugins should be blocked by security settings.

A vulnerability in Grafana allows certain plugins to intercept user authentication tokens, potentially exposing sensitive login credentials.

A vulnerability in Grafana allows administrators to escalate their privileges to Server Admin when Auth Proxy authentication is used. Attackers can create a fake datasource pointing to localhost that contains admin user credentials to gain elevated access.

A flaw in Grafana's role-based access control allows users with Editor or Viewer permissions to access folders and dashboards that should only be available to Administrators.

A security vulnerability in Grafana allows plugins to receive user authentication cookies, which occurs under certain conditions at data source and plugin proxy endpoints.

Grafana has an authentication flaw where an attacker can prevent legitimate users from logging in by registering a username that matches another user's email address.

Grafana has a vulnerability in invitation links that allows attackers to register with arbitrary usernames or email addresses to gain unauthorized access to organizations.

Grafana applications up to version 9.x have a vulnerability that allows attackers to discover which usernames or email addresses exist in the system by abusing the password reset function.

In Grafana, users with Viewer permissions can inject arbitrary URLs when creating dashboard snapshots, which are then displayed to other users as trusted links to the original dashboard.

A race condition in Grafana allows unauthenticated users to query protected endpoints because under heavy load HTTP requests can receive incorrect authentication middleware from other calls.

A vulnerability in Grafana Enterprise allows attackers to escalate their privileges by manipulating SAML responses containing multiple assertions. Only unsigned SAML documents with at least one signed assertion are affected, potentially allowing attackers to gain administrative access.

A flaw in Grafana Enterprise allows users to receive other users' session cookies when datasource query caching is enabled, potentially granting unauthorized access to other user accounts.

A vulnerability in Grafana's GeoMap plugin allows users with Editor permissions to inject malicious JavaScript code through SVG files, which then executes in other users' browsers and can be exploited for privilege escalation.

A security vulnerability in Grafana's Text plugin allows users with Editor permissions to store malicious JavaScript code that executes when Admin users edit the panel and click specific options.

Security update fixes ten CVE vulnerabilities in Grafana

Security update fixes ten CVE vulnerabilities in Grafana

Security update fixes critical vulnerabilities and an error when updating Alertmanager configuration

Security update with fixes for ten CVE vulnerabilities

Security update fixes ten CVE vulnerabilities in Grafana

Grafana 13.0.1 fixes unified storage migration issues and improves dashboard timezone handling and provisioning validation

Maintenance update with Go upgrade to version 1.25.9, improvements to analytics and reporting features, and documentation fix for alerting metrics

Security update with fixes for four CVE vulnerabilities

Security update with fixes for multiple CVE vulnerabilities

Security update fixes multiple CVE vulnerabilities

Security update with fixes for multiple CVE vulnerabilities and improved Public Dashboard security across organizations

Security update fixes critical vulnerability CVE-2026-33375

Security update fixes critical vulnerability CVE-2026-33375

Security update fixes critical vulnerability CVE-2026-33375

Security update fixes critical vulnerability CVE-2026-33375

Patch release with security fixes for multiple CVEs, accessibility improvements, and bug fixes for plugins and dashboards

Go runtime updated to version 1.25.8

Updated Go runtime to version 1.25.8 and added support for custom CA certificates in Image Renderer

Maintenance update with Go 1.25.8, custom CA certificate support in Image Renderer, and fix for dashboard versions list API

Maintenance update with Go 1.25.8, custom CA certificate support in Image Renderer and fix for dashboard versions list API

Maintenance update with Go upgrade to 1.25.8, improved access control and bug fixes for alerting and MariaDB compatibility

Grafana 12.4.0 introduces extensive alerting improvements with new UI features, RBAC permissions, and performance optimizations

Grafana v11.6.12 has been released with download links and documentation for new features

Bug fix for datasource variable templating in dashboard export

Bug fix for datasource variable templating in dashboard export

Bug fixes for dashboard export with datasource variables and provisioning with nanogit library

Grafana 12.0.10 adds size limits for expanded notification templates and improves security for public dashboard annotations