CVE-2026-21724

Summary

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Affected Software

VendorProductVersion RangeStatus
GrafanaGrafana OSS12.3.1 < 12.3.6affected
GrafanaGrafana OSS12.2.2 < 12.2.8affected
GrafanaGrafana OSS12.1.5 < 12.1.10affected
GrafanaGrafana OSS11.6.9 < 11.6.14affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References