CVE-2026-21724

EUVD-2026-16338
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
grafanagrafana
11.6.9 ≤
𝑥
< 11.6.14
grafanagrafana
12.1.5 ≤
𝑥
< 12.1.10
grafanagrafana
12.2.2 ≤
𝑥
< 12.2.8
grafanagrafana
12.3.1 ≤
𝑥
< 12.3.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://grafana.com/security/security-advisories/cve-2026-21724