CVE-2026-21722
Annotation Timerange Exposure in Grafana Public Dashboards
Publication date: 2026-02-12
Last updated on: 2026-02-27
Assigner: Grafana Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | 12.1.6 |
| grafana | grafana | 12.2.4 |
| grafana | grafana | 12.3.2 |
| grafana | grafana | From 9.3.0 (inc) to 11.6.10 (exc) |
| grafana | grafana | 11.6.10 |
| grafana | grafana | From 12.0.0 (inc) to 12.1.6 (exc) |
| grafana | grafana | From 12.2.0 (inc) to 12.2.4 (inc) |
| grafana | grafana | From 12.3.0 (inc) to 12.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in public dashboards with annotations enabled. The issue is that the annotation timerange was not limited to the locked timerange of the public dashboard. As a result, an attacker could read the entire history of annotations visible on that dashboard, including annotations outside the locked timerange.
However, it is important to note that this vulnerability does not leak any annotations that would not otherwise be visible on the public dashboard.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker or unauthorized user could access a broader range of annotation history on a public dashboard than intended. This means they could view annotations outside the locked timerange, potentially exposing more historical context or information than was meant to be publicly accessible.
Since the vulnerability does not expose annotations that are not already visible on the public dashboard, the confidentiality impact is limited to the scope of annotations already available publicly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know