CVE-2026-22641
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2026-22641, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: SICK AG

Description

This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-07-06
AI Q&A
2026-01-16
EPSS Evaluated
2026-01-22
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
grafana grafana 11.5.0
grafana grafana From 11.3.8 (inc) to 12.0.2 (inc)
sick_ag sick_incoming_goods_suite From 1.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Grafana's datasource proxy API allows attackers to bypass authorization checks by inserting an extra slash character in the URL path. This flaw enables users with minimal permissions to gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. It mainly affects datasources that enforce route-specific permissions, such as Alertmanager and certain Prometheus-based datasources.

Impact Analysis

The vulnerability can lead to unauthorized read access to sensitive data from Alertmanager and Prometheus datasources by users who should have limited permissions. This unauthorized access could expose monitoring data or alerts that are meant to be restricted, potentially compromising operational security or revealing sensitive system information.

Mitigation Strategies

Immediate steps to mitigate this vulnerability include restricting network access to the affected Grafana datasource proxy API, especially limiting access to Alertmanager and Prometheus datasources. Implement network segmentation and access controls to reduce exposure. Monitor and filter HTTP requests to detect and block URL paths containing extra slash characters that could bypass authorization checks. Additionally, apply any available patches or updates from Grafana that address this issue once released. Following best practices for network security such as using firewalls, VPNs, and strict access controls is recommended to reduce attack surface. [5]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22641. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart