5.3

CVE-2026-21722

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.

This did not leak any annotations that would not otherwise be visible on the public dashboard.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GrafanaGrafana Version >= 9.3.0 < 11.6.10
GrafanaGrafana Version >= 12.0.0 < 12.1.6
GrafanaGrafana Version >= 12.2.0 <= 12.2.4
GrafanaGrafana Version >= 12.3.0 <= 12.3.2
GrafanaGrafana Version11.6.10 Update-
GrafanaGrafana Version12.1.6 Update-
GrafanaGrafana Version12.2.4 Update-
GrafanaGrafana Version12.3.2 Update-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.01% 0.02
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@grafana.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.