>= 8.0.1, < 8.0.7, >= 8.1.0, < 8.1.8, >= 8.2.0, < 8.2.7, >= 8.3.0, < 8.3.1
from 0, < 7.5.11, >= 8.0.0, < 8.1.6
CRITICAL10.0Incorrect privilege assignment
>= 12.0.0, < 12.2.1
CRITICAL9.9Grafana SQL Expressions allow for remote code execution
>= 11.0.0, < 11.2.2
CRITICAL9.8Grafana vulnerable to race condition allowing privilege escalation
>= 9.2.0, < 9.2.4
CRITICAL9.8An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix.
from 0, < 7.3.5
CRITICAL9.8The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is use…
>= 1.1.0, < 1.2.1 | >= 1.3.0, <= 1.3.0
CRITICAL9.8Signature validation bypass due to XML processing error in github.com/crewjam/saml
from 0, < 6.7.5, >= 7.0.0, < 7.2.3, >= 7.3.0, < 7.3.6
CRITICAL9.4Grafana vulnerable to Authentication Bypass by Spoofing
>= 6.7.0, < 8.5.27, >= 9.2.0, < 9.2.20, >= 9.3.0, < 9.3.16, >= 9.4.0, < 9.4.13, >= 9.5.0, < 9.5.4
CRITICAL9.1RCE on Grafana via sqlExpressions
>= 11.6.0, < 11.6.14, >= 12.0.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
CRITICAL9.1Cross organization admin control in Grafana
>= 8.0.0, < 8.2.4
HIGH8.8When query caching is enabled in Grafana users can query another users session
>= 8.3.1, < 9.2.10, >= 9.3.0, < 9.3.4
HIGH8.8FGAC API Key privilege escalation in Grafana
>= 8.1.0, < 8.4.6
HIGH8.5Grafana Enterprise datasource network restrictions bypass via HTTP redirects
>= 7.4.0, < 7.5.16, >= 8.0.0, < 8.5.3
HIGH8.3Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana
>= 11.6.0, < 11.6.1
HIGH8.2Denial of service in Grafana
>= 6.7.3, < 7.4.2
HIGH8.1Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
>= 10.2.0, < 11.6.9, >= 12.0.0, < 12.0.8, >= 12.1.0, < 12.1.5, >= 12.2.0, < 12.2.3, >= 12.3.0, < 12.3.1
HIGH7.6Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana
>= 11.3.0, < 11.6.3, >= 12.0.0, < 12.0.2
HIGH7.6Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana
from 0, < 10.4.18, >= 11.0.0, < 11.6.1, >= 12.0.0, < 12.0.0
HIGH7.6Grafana folders admin only permission privilege escalation
from 0, < 8.5.13, >= 9.0.0, < 9.0.9, >= 9.1.0, < 9.1.6
HIGH7.5OpenFeature evaluation API reads input data with no bounds
>= 12.1.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
HIGH7.5Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
>= 3.0.0, < 11.6.9, >= 12.0.0, < 12.0.8, >= 12.1.0, < 12.1.5, >= 12.2.0, < 12.2.3, >= 12.3.0, < 12.3.1
HIGH7.5One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessibl…
>= 6.0.0, < 6.7.6, >= 7.0.0, < 7.3.10, >= 7.4.0, < 7.4.5
HIGH7.5Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/..
>= 8.4.3, < 8.4.4
HIGH7.5Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI.
>= 8.4.3, < 8.4.4
HIGH7.5Grafana is an open-source platform for monitoring and observability.
>= 9.1.0, < 9.2.17, >= 9.3.0, < 9.3.13, >= 9.4.0, < 9.4.9
HIGH7.5Grafana Missing Synchronization vulnerability
>= 9.4.0, < 9.4.12, >= 9.5.0, < 9.5.3
HIGH7.4Auth Proxy IPv6 whitelist bypass
>= 9.4.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
HIGH7.3Stored XSS in Grafana's Unified Alerting
>= 8.0.0, < 8.3.10, >= 8.4.0, < 8.4.10, >= 8.5.0, < 8.5.9, >= 9.0.0, < 9.0.3
HIGH7.2Grafana is an open-source platform for monitoring and observability.
>= 9.4.0, < 9.4.17, >= 9.5.0, < 9.5.13, >= 10.0.0, < 10.0.9, >= 10.1.0, < 10.1.5
HIGH7.1Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin
>= 8.5.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
HIGH7.1Grafana account takeover via OAuth vulnerability
>= 5.3.0, < 8.3.10, >= 8.4.0, < 8.4.10, >= 8.5.0, < 8.5.9, >= 9.0.0, < 9.0.3
HIGH7.1Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a…
>= 7.2.0, < 7.3.10, >= 7.4.0, < 7.4.5
MEDIUM6.9XSS vulnerability allowing arbitrary JavaScript execution
>= 8.0.0, < 8.2.3
MEDIUM6.8XSS in Grafana Explore stack trace
>= 12.2.0, < 12.2.4, >= 12.3.0, < 12.3.2
MEDIUM6.8The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability.
>= 11.2.0, < 11.5.3, >= 11.6.0, < 11.6.0
MEDIUM6.8Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
>= 5.0.1, < 8.5.14, >= 9.0.0, < 9.1.8
MEDIUM6.8Cross site scripting in Grafana proxy
>= 2.0.1, < 7.5.15, >= 8.0.0, < 8.3.5
MEDIUM6.8Cross Site Request Forgery in Grafana
>= 3.0.1, < 7.5.15, >= 8.0.0, < 8.3.5
MEDIUM6.7Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password
from 0, < 8.5.15, >= 9.0.0, < 9.2.4
MEDIUM6.7Grafana vulnerable to spoofing originalUrl of snapshots
from 0, < 8.5.16, >= 9.0.0, < 9.2.8
MEDIUM6.7Grafana privilege escalation vulnerability
>= 8.0.0, < 9.4.16, >= 9.5.0, < 9.5.11, >= 10.0.0, < 10.0.7, >= 10.1.0, < 10.1.3 | >= 10.1.4, <= 10.1.4
MEDIUM6.6Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin
from 0, < 8.5.13, >= 9.0.0, < 9.0.9, >= 9.1.0, < 9.1.6
MEDIUM6.5Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro
>= 8.0.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
MEDIUM6.5Grafana plugin resources can lead to unbounded memory allocation
>= 6.7.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
MEDIUM6.5BAC in Snapshot API allows deletion of unauthorized dashboard snapshots
>= 9.4.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
MEDIUM6.5Viewer-triggered race condition in Grafana Live leads to complete server crash
>= 8.2.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
MEDIUM6.5Grafana Live push endpoint allows unbounded memory allocation leading to OOM
>= 8.0.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
MEDIUM6.5Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS
>= 11.6.0, < 11.6.14, >= 12.1.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
MEDIUM6.5Grafana Testdata datasource can issue unbounded memory allocations
>= 8.1.0, < 11.6.14, >= 12.0.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
MEDIUM6.5Query resampling can cause unbounded memory allocations
>= 8.0.0, < 11.6.14, >= 12.0.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
MEDIUM6.5Public dashboards discloses all direct mode datasources
>= 9.3.0, < 11.6.14, >= 12.0.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
MEDIUM6.5Users outside an organization can delete a snapshot with its key
>= 9.5.0, < 9.5.18, >= 10.0.0, < 10.0.13, >= 10.1.0, < 10.1.9, >= 10.2.0, < 10.2.6, >= 10.3.0, < 10.3.5
MEDIUM6.5The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue.
>= 7.4.0, < 7.4.5
MEDIUM6.5The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control is…
>= 6.0.0, < 6.7.6, >= 7.0.0, < 7.3.10, >= 7.4.0, < 7.4.5
MEDIUM6.4Grafana contains Improper Input Validation
>= 8.0.0, < 8.5.15, >= 9.0.0, < 9.2.4
MEDIUM6.4Stored XSS in Grafana Text plugin
>= 9.2.0, < 9.2.10, >= 9.3.0, < 9.3.4
MEDIUM6.3SQL Expressions Read File From Disk
>= 11.6.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
MEDIUM6.2Stored XSS in Graphite FunctionDescription tooltip
>= 8.0.0, < 8.5.22, >= 9.2.0, < 9.2.15, >= 9.3.0, < 9.3.11
MEDIUM6.1Grafana plugin signature bypass vulnerability
>= 7.0.0, < 8.5.14, >= 9.0.0, < 9.1.8
MEDIUM6.1Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
from 0, < 6.7.3
MEDIUM6.1Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana
from 0, < 7.0.6
MEDIUM6.1Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana
from 0, < 7.0.0
MEDIUM6.1Grafana XSS in header column rename in github.com/grafana/grafana
from 0, < 6.7.3
MEDIUM6.0User with permissions to create a data source can CRUD all data sources
>= 8.5.0, < 9.5.7, >= 10.0.0, < 10.0.12, >= 10.1.0, < 10.1.8, >= 10.2.0, < 10.2.5, >= 10.3.0, < 10.3.4
MEDIUM5.9Users can generate Service Account tokens after permissions removal
>= 9.2.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
MEDIUM5.8Server Side Request Forgery in Grafana
>= 3.0.1, < 7.0.2
MEDIUM5.5An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server admin…
>= 10.4.18, < 10.4.19, >= 11.2.9, < 11.2.10, >= 11.3.6, < 11.3.7, >= 11.4.4, < 11.4.5, >= 11.5.4, < 11.5.5, >= 11.6.1, < 11.6.2, >= 12.0.0, < 12.0.1
MEDIUM5.5Grafana information disclosure in github.com/grafana/grafana
from 0, < 6.7.4
MEDIUM5.5Grafana world readable configuration files in github.com/grafana/grafana
>= 6.0.0, < 6.3.7
MEDIUM5.4Missing Protected-field Authorization in Provisioning Contact Points API
>= 11.6.9, < 11.6.14, >= 12.1.5, < 12.1.10, >= 12.2.2, < 12.2.8, >= 12.3.1, < 12.3.6
MEDIUM5.4Grafana stored XSS in FileUploader component
>= 8.1.0, < 8.5.16, >= 9.0.0, < 9.2.10, >= 9.3.0, < 9.3.4
MEDIUM5.4Email Validation Bypass And Preventing Sign Up From Email's Owner
>= 2.5.0, < 9.5.16, >= 10.0.0, < 10.0.11, >= 10.1.0, < 10.1.7, >= 10.2.0, < 10.2.4, >= 10.3.0, < 10.3.3
MEDIUM5.4Grafana vulnerable to Cross-site Scripting
>= 7.0.0, < 8.5.21, >= 9.2.0, < 9.2.13, >= 9.3.0, < 9.3.8
MEDIUM5.4Grafana vulnerable to Cross-site Scripting
>= 8.1.0, < 8.5.21, >= 9.2.0, < 9.2.13, >= 9.3.0, < 9.3.8
MEDIUM5.4Grafana stored XSS in github.com/grafana/grafana
from 0, < 6.7.2
MEDIUM5.3Public Dashboards time range restriction on annotations can be bypassed
>= 9.3.0, < 11.6.10, >= 12.0.0, < 12.1.6, >= 12.2.0, < 12.2.4, >= 12.3.0, < 12.3.2
MEDIUM5.3SSRF in CSV Datasource Plugin
from 0, < 0.6.13
MEDIUM5.0Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana
>= 10.4.0, < 10.4.17, >= 11.2.0, < 11.5.3, >= 11.6.0, < 11.6.0
MEDIUM4.9Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
from 0, < 8.5.14, >= 9.0.0, < 9.1.8
MEDIUM4.4Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana
>= 11.1.0, < 11.1.3
MEDIUM4.3IDOR in Annotations API allows unprivileged users to DELETE annotation
>= 8.5.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
MEDIUM4.3Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana
>= 10.4.0, < 10.4.19, >= 11.2.0, < 11.6.2, >= 12.0.0, < 12.0.1
MEDIUM4.3Grafana Alerting VictorOps integration could be exposed to users with Viewer permission in github.com/grafana/grafana
>= 10.4.0, < 10.4.15, >= 11.1.0, < 11.5.0
MEDIUM4.3Grafana users with email as a username can block other users from signing in
from 0, < 8.5.14, >= 9.0.0, < 9.1.8
MEDIUM4.3Exposure of Sensitive Information in Grafana
>= 5.0.0, < 7.5.15, >= 8.0.0, < 8.3.5
MEDIUM4.3Grafana directory traversal for `.cvs` files
from 0, < 7.5.12, >= 8.0.0, < 8.3.2
MEDIUM4.3Directory Traversal in Grafana
>= 5.0.0, < 7.5.12, >= 8.0.0, < 8.3.2
MEDIUM4.3OAuth Identity Token exposure in Grafana
>= 7.2.0, < 7.5.13, >= 8.0.0, < 8.3.4
MEDIUM4.2An open redirect vulnerability has been identified in Grafana OSS organization switching functionality.
>= 11.3.0, < 11.6.3, >= 12.0.0, < 12.0.2
MEDIUM4.1Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
>= 8.0.0, < 8.5.26, >= 9.0.0, < 9.2.19, >= 9.3.0, < 9.3.15, >= 9.4.0, < 9.4.12, >= 9.5.0, < 9.5.3
LOW3.3Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
from 0, < 11.6.11, >= 12.0.0, < 12.0.9, >= 12.1.0, < 12.1.6, >= 12.2.0, < 12.2.4, >= 12.3.0, < 12.3.3
LOW2.7Very long unicode dashboard title or panel name can hang the frontend
from 0, < 11.6.2
LOW2.2Grafana org admin can delete pending invites in different org in github.com/grafana/grafana
from 0, < 10.4.13, >= 11.0.0, < 11.4.0
LOW2.0Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name
>= 11.0.0, < 12.4.1
—Grafana Alerting Editors can edit destination of webhooks they did not create
>= 8.0.0, < 12.3.1
—Grafana alerting wrong permission on datasource rule write endpoint
>= 8.5.0, < 10.4.9, >= 11.0.0, < 11.2.1