CVE-2026-27877

Summary

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.

No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

Affected Software

VendorProductVersion RangeStatus
GrafanaGrafana9.3.0 < 11.6.14affected
GrafanaGrafana12.0.0 < 12.1.10affected
GrafanaGrafana12.2.0 < 12.2.8affected
GrafanaGrafana12.3.0 < 12.3.6affected
GrafanaGrafana12.4.0 < 12.4.2affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

Additional References

grafana: Grafana: Information disclosure of data-source passwords via public dashboards

Additional References

References