CVE-2026-21721
Modified
Modified - Updated After Analysis
Privilege Escalation via Dashboard Permissions API in Grafana
Vulnerability report for CVE-2026-21721, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-01-27
Last updated on: 2026-06-30
Assigner: Grafana Labs
Description
Description
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | 11.6.9 |
| grafana | grafana | 12.0.8 |
| grafana | grafana | 12.1.5 |
| grafana | grafana | 12.2.3 |
| grafana | grafana | 12.3.0 |
| grafana | grafana | 12.3.1 |
| grafana | grafana | From 10.2.0 (inc) to 11.6.9 (exc) |
| grafana | grafana | From 12.0.0 (inc) to 12.0.8 (exc) |
| grafana | grafana | From 12.1.0 (inc) to 12.1.5 (exc) |
| grafana | grafana | From 12.2.0 (inc) to 12.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |