CVE-2026-21721

EUVD-2026-4820
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Affected Products (NVD)
VendorProductVersion
grafanagrafana
10.2.0 ≤
𝑥
< 11.6.9
grafanagrafana
12.0.0 ≤
𝑥
< 12.0.8
grafanagrafana
12.1.0 ≤
𝑥
< 12.1.5
grafanagrafana
12.2.0 ≤
𝑥
< 12.2.3
grafanagrafana
11.6.9
grafanagrafana
12.0.8
grafanagrafana
12.1.5
grafanagrafana
12.2.3
grafanagrafana
12.3.0
grafanagrafana
12.3.1
𝑥
= Vulnerable software versions
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
grafana
RHEL 9
0:10.2.6-18.el9_7
fixed
grafana-selinux
RHEL 9
0:10.2.6-18.el9_7
fixed
Common Weakness Enumeration
References
https://grafana.com/security/security-advisories/cve-2026-21721