CVE-2026-27877
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Grafana | Grafana | 9.3.0 < 11.6.14 | affected |
| Grafana | Grafana | 12.0.0 < 12.1.10 | affected |
| Grafana | Grafana | 12.2.0 < 12.2.8 | affected |
| Grafana | Grafana | 12.3.0 < 12.3.6 | affected |
| Grafana | Grafana | 12.4.0 < 12.4.2 | affected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
Additional References
grafana: Grafana: Information disclosure of data-source passwords via public dashboards
Additional References
- https://access.redhat.com/security/cve/CVE-2026-27877
- https://bugzilla.redhat.com/show_bug.cgi?id=2452293
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27877.json
- https://access.redhat.com/errata/RHSA-2026:11417
- https://access.redhat.com/errata/RHSA-2026:10223
- https://access.redhat.com/errata/RHSA-2026:19134
- https://access.redhat.com/errata/RHSA-2026:11416
- https://access.redhat.com/errata/RHSA-2026:10226
- https://access.redhat.com/errata/RHSA-2026:19352
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.