CVE-2026-22639
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: SICK AG

Description
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-01-22
NVD
CVE-2026-22639
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
grafana grafana 10.4.19
grafana grafana 11.2.10
grafana grafana 11.3.7
grafana grafana 11.4.5
grafana grafana 11.5.5
grafana grafana 11.6.2
grafana grafana 12.0.1
grafana grafana 12.0.2
grafana grafana 11.6.3
grafana grafana 11.5.6
grafana grafana 11.4.6
grafana grafana 11.3.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Grafana involves the Alerting DingDing integration, which was not properly protected and could be accessed by users with only Viewer permissions. This means that users who should have limited access could potentially interact with or exploit the DingDing alerting integration due to insufficient access controls. The issue has been fixed in several Grafana versions starting from 10.4.19+security-01 and later.

Impact Analysis

The vulnerability allows users with Viewer permissions, who normally have limited access, to potentially access or manipulate the Grafana Alerting DingDing integration. This could lead to unauthorized alerting actions or exposure of alerting configurations, which might affect monitoring reliability or cause misinformation. The CVSS base score of 4.3 indicates a low to medium severity impact, specifically a low confidentiality impact without affecting integrity or availability.

Mitigation Strategies

Immediate steps to mitigate the vulnerability CVE-2026-22639 include upgrading Grafana to one of the fixed versions: 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01, or 12.0.1+security-01. Additionally, following best security practices such as minimizing network exposure of Grafana instances, restricting network access to trusted users, and implementing proper access controls to prevent users with Viewer permissions from accessing the vulnerable DingDing alerting integration are recommended. [5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22639. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart