{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27877", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-02-24T14:30:17.726Z", "datePublished": "2026-03-27T14:02:11.889Z", "dateUpdated": "2026-05-13T19:28:40.968Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:40.968Z"}, "datePublic": "2026-03-27T13:59:46.831Z", "title": "Public dashboards discloses all direct mode datasources", "descriptions": [{"lang": "en", "value": "When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security."}], "affected": [{"vendor": "Grafana", "product": "Grafana", "platforms": ["OnPrem", "Cloud"], "defaultStatus": "unaffected", "versions": [{"version": "9.3.0", "status": "affected", "versionType": "semver", "lessThan": "11.6.14"}, {"version": "12.0.0", "status": "affected", "versionType": "semver", "lessThan": "12.1.10"}, {"version": "12.2.0", "status": "affected", "versionType": "semver", "lessThan": "12.2.8"}, {"version": "12.3.0", "status": "affected", "versionType": "semver", "lessThan": "12.3.6"}, {"version": "12.4.0", "status": "affected", "versionType": "semver", "lessThan": "12.4.2"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-312", "lang": "en", "description": "CWE-312 Cleartext Storage of Sensitive Information"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["broken-link"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:56:26.128138Z", "id": "CVE-2026-27877", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-10T13:55:59.537Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27877", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T14:56:26.128138Z"}}}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["broken-link"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:54:26.882Z"}}], "cna": {"title": "Public dashboards discloses all direct mode datasources", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "Grafana", "product": "Grafana", "versions": [{"status": "affected", "version": "9.3.0", "lessThan": "11.6.14", "versionType": "semver"}, {"status": "affected", "version": "12.0.0", "lessThan": "12.1.10", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.8", "versionType": "semver"}, {"status": "affected", "version": "12.3.0", "lessThan": "12.3.6", "versionType": "semver"}, {"status": "affected", "version": "12.4.0", "lessThan": "12.4.2", "versionType": "semver"}], "platforms": ["OnPrem", "Cloud"], "defaultStatus": "unaffected"}], "datePublic": "2026-03-27T13:59:46.831Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:40.968Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27877", "state": "PUBLISHED", "dateUpdated": "2026-05-13T19:28:40.968Z", "dateReserved": "2026-02-24T14:30:17.726Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-03-27T14:02:11.889Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "0714C0DD-B9B9-4400-AE9C-C2C60BF57743", "versionEndExcluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "5845D5E9-8631-4F0B-B100-24DCDE4C8C1F", "versionEndExcluding": "12.0.0", "versionStartIncluding": "11.6.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE3F977F-FF94-4A15-918C-54241EC49560", "versionEndExcluding": "12.2.0", "versionStartIncluding": "12.1.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB499815-0B44-4BF9-AB14-F7272EF0173F", "versionEndExcluding": "12.3.0", "versionStartIncluding": "12.2.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F2B145A-24E0-4C0F-BF82-FFD2B1301B51", "versionEndExcluding": "12.4.0", "versionStartIncluding": "12.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security."}], "id": "CVE-2026-27877", "lastModified": "2026-05-10T14:16:48.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T15:16:51.050", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2026-27877"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2026-27877"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-312"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana: Grafana: Information disclosure of data-source passwords via public dashboards", "id": "2452293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452293"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-201", "details": ["A flaw was found in Grafana. When public dashboards are used with direct data-sources, sensitive credentials, specifically passwords for all direct data-sources, are exposed. This information disclosure occurs even when these data-sources are not actively utilized in the dashboards. A remote attacker could exploit this to gain unauthorized access to other systems."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27877", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-27T14:02:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27877\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27877\nhttps://grafana.com/security/security-advisories/cve-2026-27877"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[9.3.0,11.6.14)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,12.1.10)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.0,12.2.8)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.0,12.3.6)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.4.0,12.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Grafana", "source": "cna", "vendor": "Grafana"}, "product": "grafana", "vendor": "grafana"}], "created": "2026-03-27T20:28:45.992344+00:00", "updated": "2026-05-10T16:00:13.425114+00:00", "vendors": ["grafana", "grafana$PRODUCT$grafana"]}