Executive Summary

CVE-2025-12141 is a low-severity information leakage vulnerability in Grafana's alerting system affecting versions greater than 8.0.0 up to and including 12.3.0.

Users with the "Contact Point Writer" role, which includes permissions like "alert.notifications:write" or "alert.notifications.receivers:test" (part of the basic Editor role), can edit contact points created by other users.

This unauthorized editing allows them to modify the endpoint URL to a server they control. By using the alerting system's test functionality, attackers can trigger test notifications that expose redacted secure settings such as authentication credentials (e.g., Slack tokens) for third-party integrations.

This leads to unauthorized access and potential compromise of external services integrated with Grafana.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive authentication credentials for third-party services integrated with Grafana.

Attackers with certain edit permissions can modify contact points to redirect notifications to servers they control, allowing them to capture secure settings.

As a result, external integrations such as Slack or other services could be compromised, potentially leading to further security breaches or data exposure.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Grafana to a version later than 12.3.0 where the issue is fixed.

Additionally, review and restrict user permissions, especially for those with the "Contact Point Writer" role or permissions "alert.notifications:write" and "alert.notifications.receivers:test", to prevent unauthorized editing of contact points.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows users with certain edit permissions to extract redacted secure settings, such as authentication credentials for third-party services, leading to unauthorized access and potential compromise of external integrations.

Such unauthorized access and exposure of sensitive credentials could potentially impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure access controls.

However, the provided information does not explicitly describe the direct effects on compliance frameworks or specific regulatory requirements.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized editing of contact points by users with the "Contact Point Writer" role in Grafana versions greater than 8.0.0 up to and including 12.3.0. Detection involves identifying if such roles exist and monitoring for modifications to contact points, especially changes to endpoint URLs.

To detect potential exploitation, you can audit Grafana user roles and permissions to check if users have the "alert.notifications:write" or "alert.notifications.receivers:test" permissions.

Additionally, monitoring logs for changes to contact points or test notification invocations can help identify suspicious activity.

• Check Grafana user roles and permissions via Grafana API or UI to identify users with the "Contact Point Writer" role.
• Review Grafana alerting system logs for modifications to contact points or test notification triggers.
• Use network monitoring tools to detect outbound connections to unknown or suspicious endpoints that may indicate modified webhook URLs.

Specific commands depend on your environment, but examples include:

• Using Grafana API to list contact points and their URLs: curl -H "Authorization: Bearer <API_TOKEN>" https://<grafana-server>/api/v1/contact-points
• Checking user roles via API: curl -H "Authorization: Bearer <API_TOKEN>" https://<grafana-server>/api/org/users
• Monitoring logs for alerting changes, e.g., grep 'contact point' /var/log/grafana/grafana.log

Useful 0 Not Useful 0