CVE-2026-21725
Modified Modified - Updated After Analysis
TOCTOU Vulnerability in Grafana Datasource Allows Unauthorized Deletion

Publication date: 2026-02-25

Last updated on: 2026-05-10

Assigner: Grafana Labs

Description
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-05-10
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21725
EUVD
EUVD-2026-8637
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
grafana grafana From 11.0.0 (inc) to 12.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21725 is a low-severity authorization bypass vulnerability in Grafana related to datasource deletion.

It is a time-of-check-to-time-of-use (TOCTOU) flaw that allows an attacker to re-delete a recently deleted and then recreated datasource without proper permission.

  • The attacker must have admin access to the datasource before its initial deletion.
  • All attack steps must occur within 30 seconds and on the same Grafana pod.
  • The attacker deletes the datasource, then another user recreates it.
  • The recreated datasource must have the same UID as the original but not include the attacker as an admin (UIDs are randomized by default).
  • Under these conditions, the attacker can delete the datasource again.

After 30 seconds, the vulnerability expires and cannot be exploited further. No datasources with different UIDs are vulnerable.

Impact Analysis

This vulnerability allows an attacker with prior admin access to a datasource to delete that datasource again after it has been deleted and recreated by someone else, without having permission to do so.

The impact is limited to low availability since the attacker can cause the datasource to be deleted again, potentially disrupting access to that datasource temporarily.

The attack is complex to perform, requires specific timing (within 30 seconds), and user interaction, reducing the likelihood of exploitation.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Grafana to version 12.4.1 or later where the issue has been fixed.

Additionally, be aware that the attack requires admin access to the datasource prior to deletion and must be executed within 30 seconds on the same Grafana pod, so monitoring and restricting admin privileges and pod access can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21725. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart