CVE-2026-27877
Modified Modified - Updated After Analysis
Password Exposure in Grafana Direct Data-Sources via Public Dashboards

Publication date: 2026-03-27

Last updated on: 2026-05-10

Assigner: Grafana Labs

Description
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-05-10
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27877
EUVD
EUVD-2026-16596
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
grafana grafana From 11.6.14 (inc) to 12.0.0 (exc)
grafana grafana From 12.1.10 (inc) to 12.2.0 (exc)
grafana grafana From 12.2.8 (inc) to 12.3.0 (exc)
grafana grafana From 12.3.6 (inc) to 12.4.0 (exc)
grafana grafana to 9.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The exposure of direct data-source passwords can lead to unauthorized access to sensitive data sources. This could compromise the confidentiality of the data and potentially allow attackers to access or manipulate the underlying data.

To mitigate this risk, it is recommended to convert all direct data-sources to proxied data-sources, which do not expose passwords.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to convert all direct data-sources to proxied data-sources wherever possible.

This change prevents exposure of passwords since proxied data-sources do not expose their passwords, unlike direct data-sources.

Executive Summary

This vulnerability occurs when using public dashboards and direct data-sources in Grafana. Despite the passwords for direct data-sources not being used in the dashboards, they are still exposed. However, passwords for proxied data-sources are not exposed.

The issue arises because direct data-source passwords are accessible even though they should remain confidential.

Compliance Impact

This vulnerability exposes all direct data-sources' passwords when using public dashboards and direct data-sources, which could lead to unauthorized access to sensitive information.

Exposure of passwords may result in non-compliance with common standards and regulations such as GDPR and HIPAA, which require protection of sensitive data and credentials to prevent unauthorized access.

To mitigate this risk and improve security, it is recommended to convert all direct data-sources to proxied data-sources, as proxied data-sources' passwords are not exposed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart