CVE-2025-12141
Unauthorized Access via Contact Point Editing in Grafana Alerting
Publication date: 2026-04-15
Last updated on: 2026-04-20
Assigner: Grafana Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | From 8.0.0 (inc) to 12.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized editing of contact points by users with the "Contact Point Writer" role in Grafana versions greater than 8.0.0 up to and including 12.3.0. Detection involves identifying if such roles exist and monitoring for modifications to contact points, especially changes to endpoint URLs.
To detect potential exploitation, you can audit Grafana user roles and permissions to check if users have the "alert.notifications:write" or "alert.notifications.receivers:test" permissions.
Additionally, monitoring logs for changes to contact points or test notification invocations can help identify suspicious activity.
- Check Grafana user roles and permissions via Grafana API or UI to identify users with the "Contact Point Writer" role.
- Review Grafana alerting system logs for modifications to contact points or test notification triggers.
- Use network monitoring tools to detect outbound connections to unknown or suspicious endpoints that may indicate modified webhook URLs.
Specific commands depend on your environment, but examples include:
- Using Grafana API to list contact points and their URLs: curl -H "Authorization: Bearer <API_TOKEN>" https://<grafana-server>/api/v1/contact-points
- Checking user roles via API: curl -H "Authorization: Bearer <API_TOKEN>" https://<grafana-server>/api/org/users
- Monitoring logs for alerting changes, e.g., grep 'contact point' /var/log/grafana/grafana.log
Can you explain this vulnerability to me?
CVE-2025-12141 is a low-severity information leakage vulnerability in Grafana's alerting system affecting versions greater than 8.0.0 up to and including 12.3.0.
Users with the "Contact Point Writer" role, which includes permissions like "alert.notifications:write" or "alert.notifications.receivers:test" (part of the basic Editor role), can edit contact points created by other users.
This unauthorized editing allows them to modify the endpoint URL to a server they control. By using the alerting system's test functionality, attackers can trigger test notifications that expose redacted secure settings such as authentication credentials (e.g., Slack tokens) for third-party integrations.
This leads to unauthorized access and potential compromise of external services integrated with Grafana.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive authentication credentials for third-party services integrated with Grafana.
Attackers with certain edit permissions can modify contact points to redirect notifications to servers they control, allowing them to capture secure settings.
As a result, external integrations such as Slack or other services could be compromised, potentially leading to further security breaches or data exposure.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Grafana to a version later than 12.3.0 where the issue is fixed.
Additionally, review and restrict user permissions, especially for those with the "Contact Point Writer" role or permissions "alert.notifications:write" and "alert.notifications.receivers:test", to prevent unauthorized editing of contact points.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users with certain edit permissions to extract redacted secure settings, such as authentication credentials for third-party services, leading to unauthorized access and potential compromise of external integrations.
Such unauthorized access and exposure of sensitive credentials could potentially impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure access controls.
However, the provided information does not explicitly describe the direct effects on compliance frameworks or specific regulatory requirements.