CVE-2026-21721

EUVD-2026-4820
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GRAFANACNA
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
grafanagrafana
12.3.0 ≤
𝑥
< 12.3.1
CNA
grafanagrafana
12.2.0 ≤
𝑥
< 12.2.3
CNA
grafanagrafana
12.1.0 ≤
𝑥
< 12.1.5
CNA
grafanagrafana
12.0.0 ≤
𝑥
< 12.0.8
CNA
grafanagrafana
10.2.0 ≤
𝑥
< 11.6.9
CNA
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://grafana.com/security/security-advisories/cve-2026-21721