CVE-2026-21721
Privilege Escalation via Dashboard Permissions API in Grafana
Publication date: 2026-01-27
Last updated on: 2026-04-20
Assigner: Grafana Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | 11.6.9 |
| grafana | grafana | 12.0.8 |
| grafana | grafana | 12.1.5 |
| grafana | grafana | 12.2.3 |
| grafana | grafana | 12.3.0 |
| grafana | grafana | 12.3.1 |
| grafana | grafana | From 10.2.0 (inc) to 11.6.9 (exc) |
| grafana | grafana | From 12.0.0 (inc) to 12.0.8 (exc) |
| grafana | grafana | From 12.1.0 (inc) to 12.1.5 (exc) |
| grafana | grafana | From 12.2.0 (inc) to 12.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because the dashboard permissions API does not verify the specific dashboard scope when managing permissions. Instead, it only checks if a user has the general dashboards.permissions:* action. Consequently, a user with permission management rights on one dashboard can read and modify permissions on other dashboards within the organization, leading to an internal privilege escalation.
How can this vulnerability impact me? :
This vulnerability can allow a user with permission management rights on a single dashboard to escalate their privileges and access or modify permissions on other dashboards within the organization. This could lead to unauthorized access, modification of sensitive data, and potential disruption of dashboard configurations.