CVE-2026-21727
Cross-Tenant Data Disclosure and Deletion in Grafana Correlations
Publication date: 2026-04-15
Last updated on: 2026-04-20
Assigner: Grafana Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | From 12.2.0 (inc) to 12.2.4 (exc) |
| grafana | grafana | to 11.6.11 (exc) |
| grafana | grafana | From 12.0.0 (inc) to 12.0.9 (exc) |
| grafana | grafana | From 12.1.0 (inc) to 12.1.6 (exc) |
| grafana | grafana | From 12.3.0 (inc) to 12.3.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-tenant isolation issue in Grafana's Correlations feature affecting legacy correlation records. Because of a backward compatibility condition, records with org_id = 0 could be accessed across different organizations. As a result, a user with datasource management privileges could read and permanently delete legacy correlation data that belongs to another organization.
This issue specifically affects correlations created before Grafana version 10.2 and has been fixed in versions 11.6.11, 12.0.9, 12.1.6, and 12.2.4 or later.
How can this vulnerability impact me? :
The vulnerability allows a user with datasource management privileges to access and permanently delete legacy correlation data from other organizations. This could lead to unauthorized data disclosure and data loss across tenants, potentially compromising data integrity and confidentiality within a multi-tenant environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Grafana to a fixed version. The issue is resolved in versions greater than or equal to 11.6.11, 12.0.9, 12.1.6, or 12.2.4.
Additionally, restrict datasource management privileges to trusted users only, as the vulnerability allows users with these privileges to read and delete legacy correlation data across organizations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a user with datasource management privileges to read and permanently delete legacy correlation data belonging to other organizations due to a cross-tenant isolation flaw.
Such unauthorized access and deletion of data across organizational boundaries could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict data isolation and protection of personal and sensitive information.
However, the vulnerability is rated as low severity with limited impact on confidentiality and integrity, and it affects only legacy correlation records created prior to Grafana 10.2.