CVE-2026-27877
Password Exposure in Grafana Direct Data-Sources via Public Dashboards
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: Grafana Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | From 11.6.14 (inc) to 12.0.0 (exc) |
| grafana | grafana | From 12.1.10 (inc) to 12.2.0 (exc) |
| grafana | grafana | From 12.2.8 (inc) to 12.3.0 (exc) |
| grafana | grafana | From 12.3.6 (inc) to 12.4.0 (exc) |
| grafana | grafana | to 9.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The exposure of direct data-source passwords can lead to unauthorized access to sensitive data sources. This could compromise the confidentiality of the data and potentially allow attackers to access or manipulate the underlying data.
To mitigate this risk, it is recommended to convert all direct data-sources to proxied data-sources, which do not expose passwords.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is recommended to convert all direct data-sources to proxied data-sources wherever possible.
This change prevents exposure of passwords since proxied data-sources do not expose their passwords, unlike direct data-sources.
Can you explain this vulnerability to me?
This vulnerability occurs when using public dashboards and direct data-sources in Grafana. Despite the passwords for direct data-sources not being used in the dashboards, they are still exposed. However, passwords for proxied data-sources are not exposed.
The issue arises because direct data-source passwords are accessible even though they should remain confidential.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes all direct data-sources' passwords when using public dashboards and direct data-sources, which could lead to unauthorized access to sensitive information.
Exposure of passwords may result in non-compliance with common standards and regulations such as GDPR and HIPAA, which require protection of sensitive data and credentials to prevent unauthorized access.
To mitigate this risk and improve security, it is recommended to convert all direct data-sources to proxied data-sources, as proxied data-sources' passwords are not exposed.