CVE-2026-21721

Summary

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

Affected Software

VendorProductVersion RangeStatus
Grafanagrafana/grafana12.3.0 < 12.3.1affected
Grafanagrafana/grafana12.2.0 < 12.2.3affected
Grafanagrafana/grafana12.1.0 < 12.1.5affected
Grafanagrafana/grafana12.0.0 < 12.0.8affected
Grafanagrafana/grafana10.2.0 < 11.6.9affected
Grafanagrafana/grafana-enterprise10.2.0 < 11.6.9affected
Grafanagrafana/grafana-enterprise12.0.0 < 12.0.8affected
Grafanagrafana/grafana-enterprise12.1.0 < 12.1.5affected
Grafanagrafana/grafana-enterprise12.2.0 < 12.2.3affected
Grafanagrafana/grafana-enterprise12.3.0 < 12.3.1affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation

Additional References

References