{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21721", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-01-05T09:26:06.214Z", "datePublished": "2026-01-27T09:07:55.160Z", "dateUpdated": "2026-05-13T19:28:43.691Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:43.691Z"}, "datePublic": "2026-01-27T09:05:28.422Z", "title": "Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation", "descriptions": [{"lang": "en", "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation.", "supportingMedia": [{"type": "text/markdown", "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."}]}], "affected": [{"vendor": "Grafana", "product": "grafana/grafana", "defaultStatus": "unaffected", "versions": [{"version": "12.3.0", "status": "affected", "versionType": "semver", "lessThan": "12.3.1"}]}, {"vendor": "Grafana", "product": "grafana/grafana", "defaultStatus": "unaffected", "versions": [{"version": "12.2.0", "status": "affected", "versionType": "semver", "lessThan": "12.2.3"}]}, {"vendor": "Grafana", "product": "grafana/grafana", "defaultStatus": "unaffected", "versions": [{"version": "12.1.0", "status": "affected", "versionType": "semver", "lessThan": "12.1.5"}]}, {"vendor": "Grafana", "product": "grafana/grafana", "defaultStatus": "unaffected", "versions": [{"version": "12.0.0", "status": "affected", "versionType": "semver", "lessThan": "12.0.8"}]}, {"vendor": "Grafana", "product": "grafana/grafana", "defaultStatus": "unaffected", "versions": [{"version": "10.2.0", "status": "affected", "versionType": "semver", "lessThan": "11.6.9"}]}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "defaultStatus": "unaffected", "versions": [{"version": "10.2.0", "status": "affected", "versionType": "semver", "lessThan": "11.6.9"}]}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "defaultStatus": "unaffected", "versions": [{"version": "12.0.0", "status": "affected", "versionType": "semver", "lessThan": "12.0.8"}]}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "defaultStatus": "unaffected", "versions": [{"version": "12.1.0", "status": "affected", "versionType": "semver", "lessThan": "12.1.5"}]}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "defaultStatus": "unaffected", "versions": [{"version": "12.2.0", "status": "affected", "versionType": "semver", "lessThan": "12.2.3"}]}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "defaultStatus": "unaffected", "versions": [{"version": "12.3.0", "status": "affected", "versionType": "semver", "lessThan": "12.3.1"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21721", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-863", "lang": "en", "description": "CWE-863 Incorrect Authorization"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T04:55:19.556498Z", "id": "CVE-2026-21721", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T21:45:54.908Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21721", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T04:55:19.556498Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T15:26:51.354Z"}}], "cna": {"title": "Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}}], "affected": [{"vendor": "Grafana", "product": "grafana/grafana", "versions": [{"status": "affected", "version": "12.3.0", "lessThan": "12.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana", "versions": [{"status": "affected", "version": "12.2.0", "lessThan": "12.2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana", "versions": [{"status": "affected", "version": "12.1.0", "lessThan": "12.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana", "versions": [{"status": "affected", "version": "12.0.0", "lessThan": "12.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana", "versions": [{"status": "affected", "version": "10.2.0", "lessThan": "11.6.9", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "versions": [{"status": "affected", "version": "10.2.0", "lessThan": "11.6.9", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "versions": [{"status": "affected", "version": "12.0.0", "lessThan": "12.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "versions": [{"status": "affected", "version": "12.1.0", "lessThan": "12.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "versions": [{"status": "affected", "version": "12.2.0", "lessThan": "12.2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "versions": [{"status": "affected", "version": "12.3.0", "lessThan": "12.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-01-27T09:05:28.422Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21721", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation.", "supportingMedia": [{"type": "text/markdown", "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:43.691Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21721", "state": "PUBLISHED", "dateUpdated": "2026-05-13T19:28:43.691Z", "dateReserved": "2026-01-05T09:26:06.214Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-01-27T09:07:55.160Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F6E2185-5D9B-4519-BFE1-363489FDE5C5", "versionEndExcluding": "11.6.9", "versionStartIncluding": "10.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "0800CF3F-6B22-4AC9-B7A5-88F00162D7CF", "versionEndExcluding": "12.0.8", "versionStartIncluding": "12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "B74E6E97-D985-4F8E-BFE9-DD40D99995D8", "versionEndExcluding": "12.1.5", "versionStartIncluding": "12.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "FCC333B0-9BDE-4A2D-9648-C8017242DDC7", "versionEndExcluding": "12.2.3", "versionStartIncluding": "12.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:11.6.9:-:*:*:*:*:*:*", "matchCriteriaId": "75C49C18-902A-447E-97F3-2679BD19B517", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:12.0.8:-:*:*:*:*:*:*", "matchCriteriaId": "63A1D7CB-4839-4706-AB16-0D1609B62C1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:12.1.5:-:*:*:*:*:*:*", "matchCriteriaId": "FCEFE43C-35EA-4163-A184-6FE2FF14B2BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:12.2.3:-:*:*:*:*:*:*", "matchCriteriaId": "D5613D06-3180-477D-9272-CAF86A6D764D", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:12.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D0226F9E-7B57-4F41-BC7D-234F17628970", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:12.3.1:-:*:*:*:*:*:*", "matchCriteriaId": "B7B29640-D0AE-4B99-95F8-B1D84E3A17AA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."}, {"lang": "es", "value": "La API de permisos del panel no verifica el alcance del panel de destino y solo comprueba la acci\u00f3n dashboards.permissions:*. Como resultado, un usuario que tiene derechos de gesti\u00f3n de permisos en un panel puede leer y modificar permisos en otros paneles. Esto es una escalada de privilegios interna de la organizaci\u00f3n."}], "id": "CVE-2026-21721", "lastModified": "2026-04-20T17:28:19.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-01-27T09:15:48.640", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2026-21721"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation", "id": "2433242", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433242"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-639", "details": ["The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21721", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhel8/grafana", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhel9/grafana", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "rhel8/grafana", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "rhel9/grafana", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Affected", "package_name": "rhel8/grafana", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Affected", "package_name": "rhel9/grafana", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-27T09:07:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21721\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21721\nhttps://grafana.com/security/security-advisories/CVE-2026-21721"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-15T17:36:08.314040+00:00", "value": {"mitigation_remediation": ["Update to the latest patched release of Grafana, which corrects the dashboard scope validation in the permissions API.", "Revoke dashboards.permissions:* rights from users who do not require that level of privilege, applying the principle of least privilege.", "Review and tighten dashboard permission scopes to ensure that permission changes are only allowed within the intended dashboard\u2019s context, and monitor for anomalous permission\u2011management activity in Grafana logs."], "summary": {"action": "Patch Now", "impact": "Privilege Escalation within a Grafana organization"}, "threat_synthesis": {"affected_systems": "All Grafana installations affected by this advisory, including the community edition and the enterprise edition of Grafana. The problem affects any deployed instance where dashboards.permissions:* scopes are granted, regardless of the Grafana version listed in the advisory. No specific version range is enumerated in the CNA data, so administrators should assume all current and older releases are vulnerable until patched.", "description_and_impact": "The vulnerability resides in the Dashboard Permissions API, which fails to enforce the intended dashboard scope when validating permission modifications. The API only checks for the generic dashboards.permissions:* action rather than verifying that the target dashboard belongs to the same namespace. As a result, a user granted permission\u2011management rights on one dashboard can read and alter the permissions of any other dashboard in the same organization. The consequence is a trusted\u2011user privilege escalation that allows an internal attacker to gain unauthorized read or modify access to other dashboards, potentially exposing sensitive metrics or configuration data. This weakness maps to CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-863 (Improper Enforcement of Restriction on Use of Privilege\u2011Escalating Functions).", "risk_and_exploitability": "The CVSS score of 8.1 signals a high severity, reflecting the ability of an attacker to elevate privileges without additional exploits. The EPSS score is below 1%, suggesting that active exploitation is rare or not observed at the time of scoring. The vulnerability is not listed in the CISA KEV catalog, indicating no widespread, publicly available exploits are known. Likely attack vectors involve internal users or compromised accounts that invoke the guarded API endpoints, potentially through Grafana\u2019s own web interface or API clients. Exploitation would require the attacker to first obtain a legitimate user session or credentials for a user who has dashboards.permissions:* rights, and then target other dashboards within the organization.\n"}}}}, "created": "2026-01-27T20:17:03.191691+00:00", "updated": "2026-04-15T18:00:15.539445+00:00", "vendors": ["grafana", "grafana$PRODUCT$grafana", "grafana$PRODUCT$grafana_enterprise"]}