CVE-2026-21722

Medium CVSS: 5.3

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.

This did not leak any annotations that would not otherwise be visible on the public dashboard.

Vendor

Grafana

Product

Grafana

CWE

CWE-200

Yayın Tarihi

2026-02-12 09:16:08

Güncelleme

2026-02-27 15:16:27

Source Identifier

security@grafana.com

KEV Date Added

Kategoriler

CWE-200 Grafana MEDIUM Grafana 2026

Referanslar

https://grafana.com/security/security-advisories/cve-2026-21722

Benzer Kayıtlar

Medium

CVE-2026-27877

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being u…

Medium

CVE-2026-27879

A resample query can be used to trigger out-of-memory crashes in Grafana.

High

CVE-2026-27880

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory cra…

Medium

CVE-2026-28375

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

Critical

CVE-2026-27876

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impac…

High

CVE-2026-28377

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, p…