CVE-2026-21722
Awaiting Analysis Awaiting Analysis - Queue

Annotation Timerange Exposure in Grafana Public Dashboards

Vulnerability report for CVE-2026-21722, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-12

Last updated on: 2026-02-27

Assigner: Grafana Labs

Description

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-12
Last Modified
2026-02-27
Generated
2026-07-06
AI Q&A
2026-02-12
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
grafana grafana 12.1.6
grafana grafana 12.2.4
grafana grafana 12.3.2
grafana grafana From 9.3.0 (inc) to 11.6.10 (exc)
grafana grafana 11.6.10
grafana grafana From 12.0.0 (inc) to 12.1.6 (exc)
grafana grafana From 12.2.0 (inc) to 12.2.4 (inc)
grafana grafana From 12.3.0 (inc) to 12.3.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in public dashboards with annotations enabled. The issue is that the annotation timerange was not limited to the locked timerange of the public dashboard. As a result, an attacker could read the entire history of annotations visible on that dashboard, including annotations outside the locked timerange.

However, it is important to note that this vulnerability does not leak any annotations that would not otherwise be visible on the public dashboard.

Impact Analysis

The impact of this vulnerability is that an attacker or unauthorized user could access a broader range of annotation history on a public dashboard than intended. This means they could view annotations outside the locked timerange, potentially exposing more historical context or information than was meant to be publicly accessible.

Since the vulnerability does not expose annotations that are not already visible on the public dashboard, the confidentiality impact is limited to the scope of annotations already available publicly.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart