Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-27877 (GCVE-0-2026-27877)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:02 – Updated: 2026-05-13 19:28
VLAI
EPSS
Title
Public dashboards discloses all direct mode datasources
Summary
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Severity
6.5 (Medium)
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
Date Public
2026-03-27 13:59
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27877",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:56:26.128138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:55:59.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"broken-link"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem",
"Cloud"
],
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T13:59:46.831Z",
"descriptions": [
{
"lang": "en",
"value": "When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T19:28:40.968Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Public dashboards discloses all direct mode datasources",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27877",
"datePublished": "2026-03-27T14:02:11.889Z",
"dateReserved": "2026-02-24T14:30:17.726Z",
"dateUpdated": "2026-05-13T19:28:40.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-27877",
"date": "2026-05-27",
"epss": "0.00015",
"percentile": "0.03092"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-27877\",\"sourceIdentifier\":\"security@grafana.com\",\"published\":\"2026-03-27T15:16:51.050\",\"lastModified\":\"2026-05-10T14:16:48.383\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\\n\\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-312\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"9.3.0\",\"matchCriteriaId\":\"0714C0DD-B9B9-4400-AE9C-C2C60BF57743\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.6.14\",\"versionEndExcluding\":\"12.0.0\",\"matchCriteriaId\":\"5845D5E9-8631-4F0B-B100-24DCDE4C8C1F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.1.10\",\"versionEndExcluding\":\"12.2.0\",\"matchCriteriaId\":\"AE3F977F-FF94-4A15-918C-54241EC49560\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.2.8\",\"versionEndExcluding\":\"12.3.0\",\"matchCriteriaId\":\"CB499815-0B44-4BF9-AB14-F7272EF0173F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.3.6\",\"versionEndExcluding\":\"12.4.0\",\"matchCriteriaId\":\"7F2B145A-24E0-4C0F-BF82-FFD2B1301B51\"}]}]}],\"references\":[{\"url\":\"https://grafana.com/security/security-advisories/cve-2026-27877\",\"source\":\"security@grafana.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://grafana.com/security/security-advisories/cve-2026-27877\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27877\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T14:56:26.128138Z\"}}}], \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2026-27877\", \"tags\": [\"broken-link\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-312\", \"description\": \"CWE-312 Cleartext Storage of Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T14:54:26.882Z\"}}], \"cna\": {\"title\": \"Public dashboards discloses all direct mode datasources\", \"source\": {\"discovery\": \"BUG_BOUNTY\"}, \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\"}}], \"affected\": [{\"vendor\": \"Grafana\", \"product\": \"Grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.3.0\", \"lessThan\": \"11.6.14\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.0.0\", \"lessThan\": \"12.1.10\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.2.0\", \"lessThan\": \"12.2.8\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.3.0\", \"lessThan\": \"12.3.6\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.4.0\", \"lessThan\": \"12.4.2\", \"versionType\": \"semver\"}], \"platforms\": [\"OnPrem\", \"Cloud\"], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-03-27T13:59:46.831Z\", \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2026-27877\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\\n\\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security.\"}], \"providerMetadata\": {\"orgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"shortName\": \"GRAFANA\", \"dateUpdated\": \"2026-05-13T19:28:40.968Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-27877\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T19:28:40.968Z\", \"dateReserved\": \"2026-02-24T14:30:17.726Z\", \"assignerOrgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"datePublished\": \"2026-03-27T14:02:11.889Z\", \"assignerShortName\": \"GRAFANA\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
alsa-2026:10223
Vulnerability from osv_almalinux
Published
2026-04-23 00:00
Modified
2026-04-28 13:15
Summary
Important: grafana security update
Details
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
- grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.2.6-24.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "grafana-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.2.6-24.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es): \n\n * grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:10223",
"modified": "2026-04-28T13:15:16Z",
"published": "2026-04-23T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:10223"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27877"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2452293"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2026-10223.html"
}
],
"related": [
"CVE-2026-27877"
],
"summary": "Important: grafana security update"
}
alsa-2026:10226
Vulnerability from osv_almalinux
Published
2026-04-23 00:00
Modified
2026-04-30 07:30
Summary
Important: grafana security update
Details
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
- grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.2.6-20.el9_7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "grafana-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.2.6-20.el9_7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es): \n\n * grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:10226",
"modified": "2026-04-30T07:30:29Z",
"published": "2026-04-23T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:10226"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27877"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2452293"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2026-10226.html"
}
],
"related": [
"CVE-2026-27877"
],
"summary": "Important: grafana security update"
}
alsa-2026:19134
Vulnerability from osv_almalinux
Published
2026-05-19 00:00
Modified
2026-05-26 12:28
Summary
Important: grafana security update
Details
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
- grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)
- golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
- crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.2.6-26.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "grafana-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.2.6-26.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es): \n\n * grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)\n * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:19134",
"modified": "2026-05-26T12:28:50Z",
"published": "2026-05-19T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:19134"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27877"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-32282"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-32283"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2452293"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2456336"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2456338"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2026-19134.html"
}
],
"related": [
"CVE-2026-27877",
"CVE-2026-32282",
"CVE-2026-32283"
],
"summary": "Important: grafana security update"
}
alsa-2026:19352
Vulnerability from osv_almalinux
Published
2026-05-19 00:00
Modified
2026-05-26 12:29
Summary
Important: grafana security update
Details
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
- grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)
- golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
- crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
| URL | Type | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.2.6-22.el9_8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "grafana-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.2.6-22.el9_8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es): \n\n * grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)\n * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:19352",
"modified": "2026-05-26T12:29:02Z",
"published": "2026-05-19T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:19352"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27877"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-32282"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-32283"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2452293"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2456336"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2456338"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2026-19352.html"
}
],
"related": [
"CVE-2026-27877",
"CVE-2026-32282",
"CVE-2026-32283"
],
"summary": "Important: grafana security update"
}
bit-grafana-2026-27877
Vulnerability from bitnami_vulndb
Published
2026-04-01 08:41
Modified
2026-04-08 09:14
Summary
Public dashboards discloses all direct mode datasources
Details
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "grafana",
"purl": "pkg:bitnami/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.3.0"
},
{
"fixed": "11.6.14"
},
{
"introduced": "12.0.0"
},
{
"fixed": "12.1.10"
},
{
"introduced": "12.2.0"
},
{
"fixed": "12.2.8"
},
{
"introduced": "12.3.0"
},
{
"fixed": "12.3.6"
},
{
"introduced": "12.4.0"
},
{
"fixed": "12.4.2"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2026-27877"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:go:*:*"
],
"severity": "High"
},
"details": "When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security.",
"id": "BIT-grafana-2026-27877",
"modified": "2026-04-08T09:14:18.943Z",
"published": "2026-04-01T08:41:09.536Z",
"references": [
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27877"
}
],
"schema_version": "1.6.2",
"summary": "Public dashboards discloses all direct mode datasources"
}
FKIE_CVE-2026-27877
Vulnerability from fkie_nvd - Published: 2026-03-27 15:16 - Updated: 2026-05-10 14:16
Severity
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0714C0DD-B9B9-4400-AE9C-C2C60BF57743",
"versionEndExcluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5845D5E9-8631-4F0B-B100-24DCDE4C8C1F",
"versionEndExcluding": "12.0.0",
"versionStartIncluding": "11.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE3F977F-FF94-4A15-918C-54241EC49560",
"versionEndExcluding": "12.2.0",
"versionStartIncluding": "12.1.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB499815-0B44-4BF9-AB14-F7272EF0173F",
"versionEndExcluding": "12.3.0",
"versionStartIncluding": "12.2.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F2B145A-24E0-4C0F-BF82-FFD2B1301B51",
"versionEndExcluding": "12.4.0",
"versionStartIncluding": "12.3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security."
}
],
"id": "CVE-2026-27877",
"lastModified": "2026-05-10T14:16:48.383",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@grafana.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-03-27T15:16:51.050",
"references": [
{
"source": "security@grafana.com",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"sourceIdentifier": "security@grafana.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
GHSA-3Q27-7QJQ-P9C5
Vulnerability from github – Published: 2026-03-27 15:30 – Updated: 2026-05-13 13:44
VLAI
Summary
Grafana public dashboards disclose all direct mode datasources
Details
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Severity
6.5 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 11.6.14"
},
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 12.1.10"
},
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 12.2.8"
},
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "12.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 12.3.6"
},
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "12.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 12.4.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "12.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "1.9.2-0.20221116104934-4ee83a5f2bf4"
},
{
"fixed": "1.9.2-0.20260325055210-3522153e07b4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27877"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T20:43:50Z",
"nvd_published_at": "2026-03-27T15:16:51Z",
"severity": "MODERATE"
},
"details": "When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security.",
"id": "GHSA-3q27-7qjq-p9c5",
"modified": "2026-05-13T13:44:32Z",
"published": "2026-03-27T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27877"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/grafana"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Grafana public dashboards disclose all direct mode datasources"
}
OPENSUSE-SU-2026:10601-1
Vulnerability from csaf_opensuse - Published: 2026-04-22 00:00 - Updated: 2026-04-22 00:00Summary
grafana-11.6.14+security01-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: grafana-11.6.14+security01-1.1 on GA media
Description of the patch: These are all security issues fixed in the grafana-11.6.14+security01-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10601
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
9.1 (Critical)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
38 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2026-21720/ | self |
| https://www.suse.com/security/cve/CVE-2026-21721/ | self |
| https://www.suse.com/security/cve/CVE-2026-21722/ | self |
| https://www.suse.com/security/cve/CVE-2026-21724/ | self |
| https://www.suse.com/security/cve/CVE-2026-21725/ | self |
| https://www.suse.com/security/cve/CVE-2026-26958/ | self |
| https://www.suse.com/security/cve/CVE-2026-27876/ | self |
| https://www.suse.com/security/cve/CVE-2026-27877/ | self |
| https://www.suse.com/security/cve/CVE-2026-27879/ | self |
| https://www.suse.com/security/cve/CVE-2026-28375/ | self |
| https://www.suse.com/security/cve/CVE-2026-33186/ | self |
| https://www.suse.com/security/cve/CVE-2026-33375/ | self |
| https://www.suse.com/security/cve/CVE-2026-21720 | external |
| https://bugzilla.suse.com/1257349 | external |
| https://www.suse.com/security/cve/CVE-2026-21721 | external |
| https://bugzilla.suse.com/1257337 | external |
| https://www.suse.com/security/cve/CVE-2026-21722 | external |
| https://bugzilla.suse.com/1258136 | external |
| https://www.suse.com/security/cve/CVE-2026-21724 | external |
| https://bugzilla.suse.com/1260878 | external |
| https://www.suse.com/security/cve/CVE-2026-21725 | external |
| https://bugzilla.suse.com/1258873 | external |
| https://www.suse.com/security/cve/CVE-2026-26958 | external |
| https://bugzilla.suse.com/1258570 | external |
| https://www.suse.com/security/cve/CVE-2026-27876 | external |
| https://bugzilla.suse.com/1261025 | external |
| https://www.suse.com/security/cve/CVE-2026-27877 | external |
| https://bugzilla.suse.com/1261026 | external |
| https://www.suse.com/security/cve/CVE-2026-27879 | external |
| https://bugzilla.suse.com/1261027 | external |
| https://www.suse.com/security/cve/CVE-2026-28375 | external |
| https://bugzilla.suse.com/1261029 | external |
| https://www.suse.com/security/cve/CVE-2026-33186 | external |
| https://bugzilla.suse.com/1260085 | external |
| https://www.suse.com/security/cve/CVE-2026-33375 | external |
| https://bugzilla.suse.com/1260881 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-11.6.14+security01-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-11.6.14+security01-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10601",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10601-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21720 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21720/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21721 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21721/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21722 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21722/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21724 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21724/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21725 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21725/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-26958 page",
"url": "https://www.suse.com/security/cve/CVE-2026-26958/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27876 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27876/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27877 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27877/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27879 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27879/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-28375 page",
"url": "https://www.suse.com/security/cve/CVE-2026-28375/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33375 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33375/"
}
],
"title": "grafana-11.6.14+security01-1.1 on GA media",
"tracking": {
"current_release_date": "2026-04-22T00:00:00Z",
"generator": {
"date": "2026-04-22T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10601-1",
"initial_release_date": "2026-04-22T00:00:00Z",
"revision_history": [
{
"date": "2026-04-22T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security01-1.1.aarch64",
"product": {
"name": "grafana-11.6.14+security01-1.1.aarch64",
"product_id": "grafana-11.6.14+security01-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security01-1.1.ppc64le",
"product": {
"name": "grafana-11.6.14+security01-1.1.ppc64le",
"product_id": "grafana-11.6.14+security01-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security01-1.1.s390x",
"product": {
"name": "grafana-11.6.14+security01-1.1.s390x",
"product_id": "grafana-11.6.14+security01-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security01-1.1.x86_64",
"product": {
"name": "grafana-11.6.14+security01-1.1.x86_64",
"product_id": "grafana-11.6.14+security01-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security01-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64"
},
"product_reference": "grafana-11.6.14+security01-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security01-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le"
},
"product_reference": "grafana-11.6.14+security01-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security01-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x"
},
"product_reference": "grafana-11.6.14+security01-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security01-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
},
"product_reference": "grafana-11.6.14+security01-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-21720",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21720"
}
],
"notes": [
{
"category": "general",
"text": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21720",
"url": "https://www.suse.com/security/cve/CVE-2026-21720"
},
{
"category": "external",
"summary": "SUSE Bug 1257349 for CVE-2026-21720",
"url": "https://bugzilla.suse.com/1257349"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-21720"
},
{
"cve": "CVE-2026-21721",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21721"
}
],
"notes": [
{
"category": "general",
"text": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization-internal privilege escalation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21721",
"url": "https://www.suse.com/security/cve/CVE-2026-21721"
},
{
"category": "external",
"summary": "SUSE Bug 1257337 for CVE-2026-21721",
"url": "https://bugzilla.suse.com/1257337"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-21721"
},
{
"cve": "CVE-2026-21722",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21722"
}
],
"notes": [
{
"category": "general",
"text": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21722",
"url": "https://www.suse.com/security/cve/CVE-2026-21722"
},
{
"category": "external",
"summary": "SUSE Bug 1258136 for CVE-2026-21722",
"url": "https://bugzilla.suse.com/1258136"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-21722"
},
{
"cve": "CVE-2026-21724",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21724"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21724",
"url": "https://www.suse.com/security/cve/CVE-2026-21724"
},
{
"category": "external",
"summary": "SUSE Bug 1260878 for CVE-2026-21724",
"url": "https://bugzilla.suse.com/1260878"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-21724"
},
{
"cve": "CVE-2026-21725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21725"
}
],
"notes": [
{
"category": "general",
"text": "A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.\n\nThis requires several very stringent conditions to be met:\n\n- The attacker must have admin access to the specific datasource prior to its first deletion.\n- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.\n- The attacker must delete the datasource, then someone must recreate it.\n- The new datasource must not have the attacker as an admin.\n- The new datasource must have the same UID as the prior datasource. These are randomised by default.\n- The datasource can now be re-deleted by the attacker.\n- Once 30 seconds are up, the attack is spent and cannot be repeated.\n- No datasource with any other UID can be attacked.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21725",
"url": "https://www.suse.com/security/cve/CVE-2026-21725"
},
{
"category": "external",
"summary": "SUSE Bug 1258873 for CVE-2026-21725",
"url": "https://bugzilla.suse.com/1258873"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2026-21725"
},
{
"cve": "CVE-2026-26958",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-26958"
}
],
"notes": [
{
"category": "general",
"text": "filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-26958",
"url": "https://www.suse.com/security/cve/CVE-2026-26958"
},
{
"category": "external",
"summary": "SUSE Bug 1258570 for CVE-2026-26958",
"url": "https://bugzilla.suse.com/1258570"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-26958"
},
{
"cve": "CVE-2026-27876",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27876"
}
],
"notes": [
{
"category": "general",
"text": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable.\n\nOnly instances in the following version ranges are affected:\n\n- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.\n- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.\n- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.\n- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.\n- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27876",
"url": "https://www.suse.com/security/cve/CVE-2026-27876"
},
{
"category": "external",
"summary": "SUSE Bug 1261025 for CVE-2026-27876",
"url": "https://bugzilla.suse.com/1261025"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2026-27876"
},
{
"cve": "CVE-2026-27877",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27877"
}
],
"notes": [
{
"category": "general",
"text": "When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27877",
"url": "https://www.suse.com/security/cve/CVE-2026-27877"
},
{
"category": "external",
"summary": "SUSE Bug 1261026 for CVE-2026-27877",
"url": "https://bugzilla.suse.com/1261026"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-27877"
},
{
"cve": "CVE-2026-27879",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27879"
}
],
"notes": [
{
"category": "general",
"text": "A resample query can be used to trigger out-of-memory crashes in Grafana.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27879",
"url": "https://www.suse.com/security/cve/CVE-2026-27879"
},
{
"category": "external",
"summary": "SUSE Bug 1261027 for CVE-2026-27879",
"url": "https://bugzilla.suse.com/1261027"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-27879"
},
{
"cve": "CVE-2026-28375",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-28375"
}
],
"notes": [
{
"category": "general",
"text": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-28375",
"url": "https://www.suse.com/security/cve/CVE-2026-28375"
},
{
"category": "external",
"summary": "SUSE Bug 1261029 for CVE-2026-28375",
"url": "https://bugzilla.suse.com/1261029"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-28375"
},
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-33375",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33375"
}
],
"notes": [
{
"category": "general",
"text": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33375",
"url": "https://www.suse.com/security/cve/CVE-2026-33375"
},
{
"category": "external",
"summary": "SUSE Bug 1260881 for CVE-2026-33375",
"url": "https://bugzilla.suse.com/1260881"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security01-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-33375"
}
]
}
RHSA-2026:10223
Vulnerability from csaf_redhat - Published: 2026-04-23 22:58 - Updated: 2026-05-20 02:40Summary
Red Hat Security Advisory: grafana security update
Severity
Important
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 10.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Grafana. When public dashboards are used with direct data-sources, sensitive credentials, specifically passwords for all direct data-sources, are exposed. This information disclosure occurs even when these data-sources are not actively utilized in the dashboards. A remote attacker could exploit this to gain unauthorized access to other systems.
7.5 (High)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
9 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:10223 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2452293 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2026-27877 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2452293 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-27877 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-27877 | external |
| https://grafana.com/security/security-advisories/… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 10.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10223",
"url": "https://access.redhat.com/errata/RHSA-2026:10223"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2452293",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452293"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10223.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2026-05-20T02:40:37+00:00",
"generator": {
"date": "2026-05-20T02:40:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2026:10223",
"initial_release_date": "2026-04-23T22:58:29+00:00",
"revision_history": [
{
"date": "2026-04-23T22:58:29+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T22:58:29+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-20T02:40:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:10.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-24.el10_1.src",
"product": {
"name": "grafana-0:10.2.6-24.el10_1.src",
"product_id": "grafana-0:10.2.6-24.el10_1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-24.el10_1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-24.el10_1.aarch64",
"product": {
"name": "grafana-0:10.2.6-24.el10_1.aarch64",
"product_id": "grafana-0:10.2.6-24.el10_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-24.el10_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-24.el10_1.aarch64",
"product": {
"name": "grafana-selinux-0:10.2.6-24.el10_1.aarch64",
"product_id": "grafana-selinux-0:10.2.6-24.el10_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-24.el10_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-24.el10_1.aarch64",
"product": {
"name": "grafana-debugsource-0:10.2.6-24.el10_1.aarch64",
"product_id": "grafana-debugsource-0:10.2.6-24.el10_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-24.el10_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.aarch64",
"product": {
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.aarch64",
"product_id": "grafana-debuginfo-0:10.2.6-24.el10_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-24.el10_1?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-24.el10_1.ppc64le",
"product": {
"name": "grafana-0:10.2.6-24.el10_1.ppc64le",
"product_id": "grafana-0:10.2.6-24.el10_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-24.el10_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-24.el10_1.ppc64le",
"product": {
"name": "grafana-selinux-0:10.2.6-24.el10_1.ppc64le",
"product_id": "grafana-selinux-0:10.2.6-24.el10_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-24.el10_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-24.el10_1.ppc64le",
"product": {
"name": "grafana-debugsource-0:10.2.6-24.el10_1.ppc64le",
"product_id": "grafana-debugsource-0:10.2.6-24.el10_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-24.el10_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.ppc64le",
"product": {
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.ppc64le",
"product_id": "grafana-debuginfo-0:10.2.6-24.el10_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-24.el10_1?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-24.el10_1.s390x",
"product": {
"name": "grafana-0:10.2.6-24.el10_1.s390x",
"product_id": "grafana-0:10.2.6-24.el10_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-24.el10_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-24.el10_1.s390x",
"product": {
"name": "grafana-selinux-0:10.2.6-24.el10_1.s390x",
"product_id": "grafana-selinux-0:10.2.6-24.el10_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-24.el10_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-24.el10_1.s390x",
"product": {
"name": "grafana-debugsource-0:10.2.6-24.el10_1.s390x",
"product_id": "grafana-debugsource-0:10.2.6-24.el10_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-24.el10_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.s390x",
"product": {
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.s390x",
"product_id": "grafana-debuginfo-0:10.2.6-24.el10_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-24.el10_1?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-24.el10_1.x86_64",
"product": {
"name": "grafana-0:10.2.6-24.el10_1.x86_64",
"product_id": "grafana-0:10.2.6-24.el10_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-24.el10_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-24.el10_1.x86_64",
"product": {
"name": "grafana-selinux-0:10.2.6-24.el10_1.x86_64",
"product_id": "grafana-selinux-0:10.2.6-24.el10_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-24.el10_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-24.el10_1.x86_64",
"product": {
"name": "grafana-debugsource-0:10.2.6-24.el10_1.x86_64",
"product_id": "grafana-debugsource-0:10.2.6-24.el10_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-24.el10_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.x86_64",
"product": {
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.x86_64",
"product_id": "grafana-debuginfo-0:10.2.6-24.el10_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-24.el10_1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-24.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.aarch64"
},
"product_reference": "grafana-0:10.2.6-24.el10_1.aarch64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-24.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.ppc64le"
},
"product_reference": "grafana-0:10.2.6-24.el10_1.ppc64le",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-24.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.s390x"
},
"product_reference": "grafana-0:10.2.6-24.el10_1.s390x",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-24.el10_1.src as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.src"
},
"product_reference": "grafana-0:10.2.6-24.el10_1.src",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-24.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.x86_64"
},
"product_reference": "grafana-0:10.2.6-24.el10_1.x86_64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.aarch64"
},
"product_reference": "grafana-debuginfo-0:10.2.6-24.el10_1.aarch64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.ppc64le"
},
"product_reference": "grafana-debuginfo-0:10.2.6-24.el10_1.ppc64le",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.s390x"
},
"product_reference": "grafana-debuginfo-0:10.2.6-24.el10_1.s390x",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-24.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.x86_64"
},
"product_reference": "grafana-debuginfo-0:10.2.6-24.el10_1.x86_64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-24.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.aarch64"
},
"product_reference": "grafana-debugsource-0:10.2.6-24.el10_1.aarch64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-24.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.ppc64le"
},
"product_reference": "grafana-debugsource-0:10.2.6-24.el10_1.ppc64le",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-24.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.s390x"
},
"product_reference": "grafana-debugsource-0:10.2.6-24.el10_1.s390x",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-24.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.x86_64"
},
"product_reference": "grafana-debugsource-0:10.2.6-24.el10_1.x86_64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-24.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.aarch64"
},
"product_reference": "grafana-selinux-0:10.2.6-24.el10_1.aarch64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-24.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.ppc64le"
},
"product_reference": "grafana-selinux-0:10.2.6-24.el10_1.ppc64le",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-24.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.s390x"
},
"product_reference": "grafana-selinux-0:10.2.6-24.el10_1.s390x",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-24.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.x86_64"
},
"product_reference": "grafana-selinux-0:10.2.6-24.el10_1.x86_64",
"relates_to_product_reference": "AppStream-10.1.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27877",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-03-27T15:03:34.023744+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2452293"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. When public dashboards are used with direct data-sources, sensitive credentials, specifically passwords for all direct data-sources, are exposed. This information disclosure occurs even when these data-sources are not actively utilized in the dashboards. A remote attacker could exploit this to gain unauthorized access to other systems.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Grafana: Information disclosure of data-source passwords via public dashboards",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.src",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27877"
},
{
"category": "external",
"summary": "RHBZ#2452293",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452293"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27877",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27877"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27877",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27877"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2026-27877",
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"release_date": "2026-03-27T14:02:11.889000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T22:58:29+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.src",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10223"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.src",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.src",
"AppStream-10.1.Z:grafana-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-debuginfo-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-debugsource-0:10.2.6-24.el10_1.x86_64",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.aarch64",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.ppc64le",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.s390x",
"AppStream-10.1.Z:grafana-selinux-0:10.2.6-24.el10_1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: Grafana: Information disclosure of data-source passwords via public dashboards"
}
]
}
RHSA-2026:10226
Vulnerability from csaf_redhat - Published: 2026-04-24 07:50 - Updated: 2026-05-20 02:40Summary
Red Hat Security Advisory: grafana security update
Severity
Important
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Grafana. When public dashboards are used with direct data-sources, sensitive credentials, specifically passwords for all direct data-sources, are exposed. This information disclosure occurs even when these data-sources are not actively utilized in the dashboards. A remote attacker could exploit this to gain unauthorized access to other systems.
7.5 (High)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
9 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:10226 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2452293 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2026-27877 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2452293 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-27877 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-27877 | external |
| https://grafana.com/security/security-advisories/… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10226",
"url": "https://access.redhat.com/errata/RHSA-2026:10226"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2452293",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452293"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10226.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2026-05-20T02:40:37+00:00",
"generator": {
"date": "2026-05-20T02:40:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2026:10226",
"initial_release_date": "2026-04-24T07:50:50+00:00",
"revision_history": [
{
"date": "2026-04-24T07:50:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-24T07:50:50+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-20T02:40:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-20.el9_7.src",
"product": {
"name": "grafana-0:10.2.6-20.el9_7.src",
"product_id": "grafana-0:10.2.6-20.el9_7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-20.el9_7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-20.el9_7.aarch64",
"product": {
"name": "grafana-0:10.2.6-20.el9_7.aarch64",
"product_id": "grafana-0:10.2.6-20.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-20.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-20.el9_7.aarch64",
"product": {
"name": "grafana-selinux-0:10.2.6-20.el9_7.aarch64",
"product_id": "grafana-selinux-0:10.2.6-20.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-20.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-20.el9_7.aarch64",
"product": {
"name": "grafana-debugsource-0:10.2.6-20.el9_7.aarch64",
"product_id": "grafana-debugsource-0:10.2.6-20.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-20.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.aarch64",
"product": {
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.aarch64",
"product_id": "grafana-debuginfo-0:10.2.6-20.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-20.el9_7?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-20.el9_7.ppc64le",
"product": {
"name": "grafana-0:10.2.6-20.el9_7.ppc64le",
"product_id": "grafana-0:10.2.6-20.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-20.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-20.el9_7.ppc64le",
"product": {
"name": "grafana-selinux-0:10.2.6-20.el9_7.ppc64le",
"product_id": "grafana-selinux-0:10.2.6-20.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-20.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-20.el9_7.ppc64le",
"product": {
"name": "grafana-debugsource-0:10.2.6-20.el9_7.ppc64le",
"product_id": "grafana-debugsource-0:10.2.6-20.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-20.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.ppc64le",
"product": {
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.ppc64le",
"product_id": "grafana-debuginfo-0:10.2.6-20.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-20.el9_7?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-20.el9_7.x86_64",
"product": {
"name": "grafana-0:10.2.6-20.el9_7.x86_64",
"product_id": "grafana-0:10.2.6-20.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-20.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-20.el9_7.x86_64",
"product": {
"name": "grafana-selinux-0:10.2.6-20.el9_7.x86_64",
"product_id": "grafana-selinux-0:10.2.6-20.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-20.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-20.el9_7.x86_64",
"product": {
"name": "grafana-debugsource-0:10.2.6-20.el9_7.x86_64",
"product_id": "grafana-debugsource-0:10.2.6-20.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-20.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.x86_64",
"product": {
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.x86_64",
"product_id": "grafana-debuginfo-0:10.2.6-20.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-20.el9_7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-20.el9_7.s390x",
"product": {
"name": "grafana-0:10.2.6-20.el9_7.s390x",
"product_id": "grafana-0:10.2.6-20.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-20.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-20.el9_7.s390x",
"product": {
"name": "grafana-selinux-0:10.2.6-20.el9_7.s390x",
"product_id": "grafana-selinux-0:10.2.6-20.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-20.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-20.el9_7.s390x",
"product": {
"name": "grafana-debugsource-0:10.2.6-20.el9_7.s390x",
"product_id": "grafana-debugsource-0:10.2.6-20.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-20.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.s390x",
"product": {
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.s390x",
"product_id": "grafana-debuginfo-0:10.2.6-20.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-20.el9_7?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-20.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.aarch64"
},
"product_reference": "grafana-0:10.2.6-20.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-20.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.ppc64le"
},
"product_reference": "grafana-0:10.2.6-20.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-20.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.s390x"
},
"product_reference": "grafana-0:10.2.6-20.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-20.el9_7.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.src"
},
"product_reference": "grafana-0:10.2.6-20.el9_7.src",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-20.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.x86_64"
},
"product_reference": "grafana-0:10.2.6-20.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.aarch64"
},
"product_reference": "grafana-debuginfo-0:10.2.6-20.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.ppc64le"
},
"product_reference": "grafana-debuginfo-0:10.2.6-20.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.s390x"
},
"product_reference": "grafana-debuginfo-0:10.2.6-20.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-20.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.x86_64"
},
"product_reference": "grafana-debuginfo-0:10.2.6-20.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-20.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.aarch64"
},
"product_reference": "grafana-debugsource-0:10.2.6-20.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-20.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.ppc64le"
},
"product_reference": "grafana-debugsource-0:10.2.6-20.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-20.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.s390x"
},
"product_reference": "grafana-debugsource-0:10.2.6-20.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-20.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.x86_64"
},
"product_reference": "grafana-debugsource-0:10.2.6-20.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-20.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.aarch64"
},
"product_reference": "grafana-selinux-0:10.2.6-20.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-20.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.ppc64le"
},
"product_reference": "grafana-selinux-0:10.2.6-20.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-20.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.s390x"
},
"product_reference": "grafana-selinux-0:10.2.6-20.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-20.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.x86_64"
},
"product_reference": "grafana-selinux-0:10.2.6-20.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27877",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-03-27T15:03:34.023744+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2452293"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. When public dashboards are used with direct data-sources, sensitive credentials, specifically passwords for all direct data-sources, are exposed. This information disclosure occurs even when these data-sources are not actively utilized in the dashboards. A remote attacker could exploit this to gain unauthorized access to other systems.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Grafana: Information disclosure of data-source passwords via public dashboards",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.src",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27877"
},
{
"category": "external",
"summary": "RHBZ#2452293",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452293"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27877",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27877"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27877",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27877"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2026-27877",
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"release_date": "2026-03-27T14:02:11.889000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-24T07:50:50+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.src",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10226"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.src",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.src",
"AppStream-9.7.0.Z.MAIN:grafana-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-debuginfo-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-debugsource-0:10.2.6-20.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:grafana-selinux-0:10.2.6-20.el9_7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: Grafana: Information disclosure of data-source passwords via public dashboards"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…