CVE-2026-21721
Modified Modified - Updated After Analysis

Privilege Escalation via Dashboard Permissions API in Grafana

Vulnerability report for CVE-2026-21721, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-27

Last updated on: 2026-06-30

Assigner: Grafana Labs

Description

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-27
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-01-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
grafana grafana 11.6.9
grafana grafana 12.0.8
grafana grafana 12.1.5
grafana grafana 12.2.3
grafana grafana 12.3.0
grafana grafana 12.3.1
grafana grafana From 10.2.0 (inc) to 11.6.9 (exc)
grafana grafana From 12.0.0 (inc) to 12.0.8 (exc)
grafana grafana From 12.1.0 (inc) to 12.1.5 (exc)
grafana grafana From 12.2.0 (inc) to 12.2.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs because the dashboard permissions API does not verify the specific dashboard scope when managing permissions. Instead, it only checks if a user has the general dashboards.permissions:* action. Consequently, a user with permission management rights on one dashboard can read and modify permissions on other dashboards within the organization, leading to an internal privilege escalation.

Impact Analysis

This vulnerability can allow a user with permission management rights on a single dashboard to escalate their privileges and access or modify permissions on other dashboards within the organization. This could lead to unauthorized access, modification of sensitive data, and potential disruption of dashboard configurations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart