CVE-2026-22639
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: SICK AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | 10.4.19 |
| grafana | grafana | 11.2.10 |
| grafana | grafana | 11.3.7 |
| grafana | grafana | 11.4.5 |
| grafana | grafana | 11.5.5 |
| grafana | grafana | 11.6.2 |
| grafana | grafana | 12.0.1 |
| grafana | grafana | 12.0.2 |
| grafana | grafana | 11.6.3 |
| grafana | grafana | 11.5.6 |
| grafana | grafana | 11.4.6 |
| grafana | grafana | 11.3.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Grafana involves the Alerting DingDing integration, which was not properly protected and could be accessed by users with only Viewer permissions. This means that users who should have limited access could potentially interact with or exploit the DingDing alerting integration due to insufficient access controls. The issue has been fixed in several Grafana versions starting from 10.4.19+security-01 and later.
How can this vulnerability impact me? :
The vulnerability allows users with Viewer permissions, who normally have limited access, to potentially access or manipulate the Grafana Alerting DingDing integration. This could lead to unauthorized alerting actions or exposure of alerting configurations, which might affect monitoring reliability or cause misinformation. The CVSS base score of 4.3 indicates a low to medium severity impact, specifically a low confidentiality impact without affecting integrity or availability.
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate the vulnerability CVE-2026-22639 include upgrading Grafana to one of the fixed versions: 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01, or 12.0.1+security-01. Additionally, following best security practices such as minimizing network exposure of Grafana instances, restricting network access to trusted users, and implementing proper access controls to prevent users with Viewer permissions from accessing the vulnerable DingDing alerting integration are recommended. [5]