5.3

CVE-2026-21722

Public Dashboards time range restriction on annotations can be bypassed

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.

This did not leak any annotations that would not otherwise be visible on the public dashboard.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GrafanaGrafana Version >= 9.3.0 < 11.6.10
GrafanaGrafana Version >= 12.0.0 < 12.1.6
GrafanaGrafana Version >= 12.2.0 <= 12.2.4
GrafanaGrafana Version >= 12.3.0 <= 12.3.2
GrafanaGrafana Version11.6.10 Update-
GrafanaGrafana Version12.1.6 Update-
GrafanaGrafana Version12.2.4 Update-
GrafanaGrafana Version12.3.2 Update-
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.03% 0.073
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@grafana.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.