CVE-2026-28376

>= 8.0.0 and < 11.6.14

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body,

6.5MEDIUM

CVE-2026-21727

< 11.6.11

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg

3.3LOW

CVE-2026-21726

< 3.6.4

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encodin

5.3MEDIUM

CVE-2025-12141

>= 8.0.0 and <= 12.3.0

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications

6.5MEDIUM

CVE-2026-28375

< 8.1.0

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

6.5MEDIUM

CVE-2026-27880

< 12.1.0

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

7.5HIGH

CVE-2026-27879

< 8.0.0

A resample query can be used to trigger out-of-memory crashes in Grafana.

6.5MEDIUM

CVE-2026-27877

< 9.3.0

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in das

6.5MEDIUM

CVE-2026-27876

< 11.6.0

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). T

9.1CRITICAL

CVE-2026-33375

>= 11.6.0 and < 11.6.14

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions a

6.5MEDIUM

CVE-2026-21724

>= 11.6.9 and < 11.6.14

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows use

5.4MEDIUM

CVE-2026-21725

>= 11.0.0 and < 12.4.1

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without per

2.6LOW

CVE-2026-21722

>= 9.3.0 and < 11.6.10

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboar

5.3MEDIUM

CVE-2025-41117

>= 12.2.0 and < 12.2.4

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. Th

6.8MEDIUM

CVE-2026-21721

>= 10.2.0 and < 11.6.9

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a

8.1HIGH

CVE-2026-21720

>= 3.0.0 and < 11.6.9

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot work

7.5HIGH

CVE-2025-41115

>= 12.0.0 and < 12.2.1

SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and

10.0CRITICAL

CVE-2025-4123

< 10.4.18

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This a

7.6HIGH

CVE-2024-10452

all versions

Organization admins can delete pending invites created in an organization they are not part of.

2.2LOW

CVE-2024-9264

all versions

The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These que

9.9CRITICAL

CVE-2024-8996

< 0.43.2

Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User

7.3HIGH

CVE-2024-8975

< 1.3.3

Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM Th

7.3HIGH

CVE-2024-1442

>= 8.5.0 and < 9.5.7

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will

6.0MEDIUM

CVE-2023-5122

< 0.6.13

Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin

5.0MEDIUM

CVE-2023-6152

<= 2.5.0

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configu

5.4MEDIUM

CVE-2023-4399

>= 9.4.0 and < 9.4.17

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that

6.6MEDIUM

CVE-2023-4457

>= 0.9.0 and <= 1.2.2

Grafana is an open-source platform for monitoring and observability. The Google Sheets data source plugin for Grafana, versions 0

5.5MEDIUM

CVE-2023-4822

>= 8.0.0 and < 9.4.16

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several orga

6.7MEDIUM

CVE-2023-3128

>= 6.7.0 and < 8.5.27

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be

9.4CRITICAL

CVE-2023-2801

>= 9.4.0 and < 9.4.12

Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct d

7.5HIGH

CVE-2023-2183

>= 8.0.0 and < 8.5.26

Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the u

4.1MEDIUM

CVE-2023-1387

>= 9.1.0 and < 9.2.17

Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the abilit

4.2MEDIUM

CVE-2023-1410

>= 8.0.0 and < 8.5.22

Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite Fun

6.2MEDIUM

CVE-2023-22462

>= 9.2.0 and < 9.2.10

Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member o

6.4MEDIUM

CVE-2023-0594

>= 7.0.0 and < 8.5.21

Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vuln

7.3HIGH

CVE-2023-0507

>= 8.1.0 and < 8.5.21

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vuln

7.3HIGH

CVE-2022-23498

>= 8.3.1 and < 9.2.10

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all

7.1HIGH

CVE-2022-39324

< 8.5.16

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create

6.7MEDIUM

CVE-2022-23552

>= 8.1.0 and < 8.5.16

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.

7.3HIGH

CVE-2022-44643

>= 1.0.0 and < 1.7.1

A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than i

5.7MEDIUM

CVE-2022-39307

< 8.5.15

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST requ

6.7MEDIUM

CVE-2022-39306

>= 8.0.0 and < 8.5.15

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are sub

6.4MEDIUM

CVE-2022-39328

>= 9.2.0 and < 9.2.4

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a ra

9.8CRITICAL

CVE-2022-39229

< 8.5.14

Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one

4.3MEDIUM

CVE-2022-39201

>= 5.0.1 and < 8.5.14

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8

6.8MEDIUM

CVE-2022-31130

< 8.5.14

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.

4.9MEDIUM

CVE-2022-31123

>= 7.0.0 and < 8.5.14

Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a by

6.1MEDIUM

CVE-2022-36062

< 8.5.13

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is sub

7.6HIGH

CVE-2022-35957

< 8.5.13

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escal

6.6MEDIUM

CVE-2022-31176

< 3.6.1

Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser

8.3HIGH

CVE-2022-31107

>= 5.3.0 and < 8.3.10

Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is

7.1HIGH

CVE-2022-31097

>= 8.0.0 and < 8.3.10

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4

7.3HIGH

CVE-2022-32276

all versions

Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this

7.5HIGH

CVE-2022-32275

all versions

Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /

7.5HIGH

CVE-2022-29170

>= 7.4.0 and < 7.5.16

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows li

6.6MEDIUM

CVE-2022-28660

>= 1.1.0 and < 1.2.1

The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-Org

9.8CRITICAL

CVE-2022-24812

>= 8.1.0 and < 8.4.6

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses

8.0HIGH

CVE-2022-26148

<= 7.3.4

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc

9.8CRITICAL

CVE-2022-21713

>= 5.0.0 and < 7.5.15

Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints wh

4.3MEDIUM

CVE-2022-21703

>= 3.0.1 and < 7.5.15

Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery

6.3MEDIUM

CVE-2022-21702

>= 2.0.1 and < 7.5.15

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thr

6.5MEDIUM

CVE-2022-21673

>= 7.2.0 and < 7.5.13

Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth

4.3MEDIUM

CVE-2021-43815

< 7.5.12

Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory tr

4.3MEDIUM

CVE-2021-43813

>= 5.0.0 and < 7.5.12

Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directo

4.3MEDIUM

CVE-2021-41090

>= 0.14.0 and < 0.20.1

Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. P

6.5MEDIUM

CVE-2021-43798

>= 8.0.1 and < 8.0.7

Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patche

7.5HIGH

CVE-2021-41244

>= 8.0.0 and < 8.2.4

Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control bet

9.1CRITICAL

CVE-2021-41174

>= 8.0.0 and < 8.2.3

Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a vic

6.9MEDIUM

CVE-2021-39226

< 7.5.11

Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to vi

9.8CRITICAL

CVE-2021-36156

<= 2.2.1

An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules fi

5.3MEDIUM

CVE-2021-31231

< 1.2.1

The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability

5.5MEDIUM

CVE-2021-28148

>= 6.0.0 and < 6.7.6

One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is

7.5HIGH

CVE-2021-28147

>= 6.0.0 and < 6.7.6

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access C

6.5MEDIUM

CVE-2021-28146

>= 7.4.0 and < 7.4.5

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using

6.5MEDIUM

CVE-2021-27962

>= 7.2.0 and < 7.3.10

Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check con

7.1HIGH

CVE-2021-27358

>= 6.7.3 and <= 7.4.1

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service v

7.5HIGH

CVE-2020-27846

< 6.7.5

A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The hig

9.8CRITICAL

CVE-2020-24303

<= 7.0.5

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

6.1MEDIUM

CVE-2019-19499

<= 6.4.3

Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileg

6.5MEDIUM

CVE-2020-11110

<= 6.7.1

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to

5.4MEDIUM

CVE-2020-13379

>= 3.0.1 and <= 7.0.1

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauth

8.2HIGH

CVE-2018-18625

all versions

Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplet

6.1MEDIUM

CVE-2018-18624

all versions

Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete

6.1MEDIUM

CVE-2018-18623

all versions

Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-1

6.1MEDIUM

CVE-2020-13430

< 7.0.0

Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

6.1MEDIUM

CVE-2020-13429

< 1.5.0

legend.ts in the piechart-panel (aka Pie Chart Panel) plugin before 1.5.0 for Grafana allows XSS via the Values Header (aka legend

5.4MEDIUM

CVE-2020-12459

>= 6.0.0 and <= 6.3.6

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.

5.5MEDIUM

CVE-2020-12458

<= 6.7.3

An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/

5.5MEDIUM

CVE-2020-12052

< 6.7.3

Grafana version < 6.7.3 is vulnerable for annotation popup XSS.

6.1MEDIUM

CVE-2020-12245

< 6.7.3

Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.

6.1MEDIUM

CVE-2019-15635

all versions

An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin use

4.9MEDIUM

CVE-2019-15043

>= 2.0.0 and < 5.4.5

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial o

7.5HIGH

CVE-2019-13068

< 6.2.5

public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or u

5.4MEDIUM

CVE-2015-9282

<= 1.3.4

The Pie Chart Panel plugin through 2019-01-02 for Grafana is vulnerable to XSS via legend data or tooltip data. When a chart is in

6.1MEDIUM

CVE-2018-1000816

all versions

Grafana version confirmed for 5.2.4 and 5.3.0 contains a Cross Site Scripting (XSS) vulnerability in Influxdb and Graphite query e

5.4MEDIUM

CVE-2018-19039

< 4.6.5

Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin

6.5MEDIUM

CVE-2018-15727

>= 2.0.0 and <= 2.1.2

Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid

9.8CRITICAL

CVE-2018-12099

<= 5.1.3

Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.

6.1MEDIUM