CVE-2026-21722
Awaiting Analysis Awaiting Analysis - Queue
Annotation Timerange Exposure in Grafana Public Dashboards

Publication date: 2026-02-12

Last updated on: 2026-02-27

Assigner: Grafana Labs

Description
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21722
EUVD
EUVD-2026-7041
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
grafana grafana 12.1.6
grafana grafana 12.2.4
grafana grafana 12.3.2
grafana grafana From 9.3.0 (inc) to 11.6.10 (exc)
grafana grafana 11.6.10
grafana grafana From 12.0.0 (inc) to 12.1.6 (exc)
grafana grafana From 12.2.0 (inc) to 12.2.4 (inc)
grafana grafana From 12.3.0 (inc) to 12.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in public dashboards with annotations enabled. The issue is that the annotation timerange was not limited to the locked timerange of the public dashboard. As a result, an attacker could read the entire history of annotations visible on that dashboard, including annotations outside the locked timerange.

However, it is important to note that this vulnerability does not leak any annotations that would not otherwise be visible on the public dashboard.

Impact Analysis

The impact of this vulnerability is that an attacker or unauthorized user could access a broader range of annotation history on a public dashboard than intended. This means they could view annotations outside the locked timerange, potentially exposing more historical context or information than was meant to be publicly accessible.

Since the vulnerability does not expose annotations that are not already visible on the public dashboard, the confidentiality impact is limited to the scope of annotations already available publicly.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart