CVE-2026-21724 — Missing Protected-field Authorization in Provisioning Contact Points API

Description

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

How to fix CVE-2026-21724

To remediate CVE-2026-21724, upgrade the affected package to a fixed version below.

—upgrade to 11.6.14 or later
—upgrade to 1.9.2-0.20260323180334-daffe750de85 or later

Is CVE-2026-21724 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 11.6.9, < 11.6.14, >= 12.1.5, < 12.1.10, >= 12.2.2, < 12.2.8, >= 12.3.1, < 12.3.6
from 0, < 1.9.2-0.20260323180334-daffe750de85

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-21724
PATCHgithub.com/grafana/grafana
WEBgithub.com/grafana/grafana/commit/daffe750de85b0dbf79f206a35835cf66a83d6ca
WEBgithub.com/grafana/grafana/releases/tag/v12.3.6
WEB