CVE-2026-21727
Received Received - Intake
Cross-Tenant Data Disclosure and Deletion in Grafana Correlations

Publication date: 2026-04-15

Last updated on: 2026-04-20

Assigner: Grafana Labs

Description
--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21727
EUVD
EUVD-2026-23011
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
grafana grafana From 12.2.0 (inc) to 12.2.4 (exc)
grafana grafana to 11.6.11 (exc)
grafana grafana From 12.0.0 (inc) to 12.0.9 (exc)
grafana grafana From 12.1.0 (inc) to 12.1.6 (exc)
grafana grafana From 12.3.0 (inc) to 12.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows a user with datasource management privileges to read and permanently delete legacy correlation data belonging to other organizations due to a cross-tenant isolation flaw.

Such unauthorized access and deletion of data across organizational boundaries could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict data isolation and protection of personal and sensitive information.

However, the vulnerability is rated as low severity with limited impact on confidentiality and integrity, and it affects only legacy correlation records created prior to Grafana 10.2.

Executive Summary

This vulnerability is a cross-tenant isolation issue in Grafana's Correlations feature affecting legacy correlation records. Because of a backward compatibility condition, records with org_id = 0 could be accessed across different organizations. As a result, a user with datasource management privileges could read and permanently delete legacy correlation data that belongs to another organization.

This issue specifically affects correlations created before Grafana version 10.2 and has been fixed in versions 11.6.11, 12.0.9, 12.1.6, and 12.2.4 or later.

Impact Analysis

The vulnerability allows a user with datasource management privileges to access and permanently delete legacy correlation data from other organizations. This could lead to unauthorized data disclosure and data loss across tenants, potentially compromising data integrity and confidentiality within a multi-tenant environment.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Grafana to a fixed version. The issue is resolved in versions greater than or equal to 11.6.11, 12.0.9, 12.1.6, or 12.2.4.

Additionally, restrict datasource management privileges to trusted users only, as the vulnerability allows users with these privileges to read and delete legacy correlation data across organizations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21727. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart