CVE-2025-3260

EPSS 0.02%
Veröffentlicht 02.06.2025 10:15:21
Zuletzt bearbeitet 02.06.2025 17:32:17
Quelle security@grafana.com
Teams Watchlist Login
Unerledigt Login

A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).

Impact:

- Viewers can view all dashboards/folders regardless of permissions

- Editors can view/edit/delete all dashboards/folders regardless of permissions

- Editors can create dashboards in any folder regardless of permissions

- Anonymous users with viewer/editor roles are similarly affected

Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerGrafana

≫

Produkt Grafana

Version < 11.6.1+security-01

Version 11.6.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.029

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@grafana.com	8.3	2.8	5.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://grafana.com/security/security-advisories/CVE-2025-3260/

https://nvd.nist.gov/vuln/detail/CVE-2025-3260

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-3260

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-3260

EUVD