8.1
CVE-2026-21721
- EPSS 0.65%
- Veröffentlicht 27.01.2026 09:15:48
- Zuletzt bearbeitet 30.06.2026 03:17:24
- Quelle security@grafana.com
- CVE-Watchlists
- Unerledigt
Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.65% | 0.464 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@grafana.com | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://grafana.com/security/security-advisories/cve-2026-21721
https://access.redhat.com/errata/RHSA-2026:5633
https://access.redhat.com/errata/RHSA-2026:8229
https://access.redhat.com/errata/RHSA-2026:2914
https://access.redhat.com/errata/RHSA-2026:2920
https://access.redhat.com/errata/RHSA-2026:3078
https://access.redhat.com/errata/RHSA-2026:3529
https://access.redhat.com/security/cve/CVE-2026-21721
https://bugzilla.redhat.com/show_bug.cgi?id=2433242
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21721.json