CVE-2021-43798 Grafana Labs CVE debrief

Who should care

Grafana administrators, cloud and SaaS platform owners, security operations teams, and vulnerability management teams responsible for Grafana deployments.

Technical summary

The supplied sources identify this issue as a path traversal vulnerability in Grafana. CISA's KEV entry records it as known exploited and points to Grafana's advisory and the NVD/CVE records for additional reference. The corpus does not provide exploit mechanics beyond the path traversal classification.

Defensive priority

High. CISA added this CVE to KEV on 2025-10-09 and set a remediation due date of 2025-10-30, so affected systems should be prioritized immediately.

Recommended defensive actions

• Apply the vendor's mitigations and follow the linked Grafana advisory guidance.
• Upgrade to the fixed Grafana releases referenced in the KEV notes when they match your deployment branch (8.3.1, 8.2.7, 8.1.8, and 8.0.7).
• If mitigations are unavailable, discontinue use of the product per CISA guidance.
• For cloud services, follow applicable BOD 22-01 guidance.
• Inventory Grafana instances and confirm remediation has been completed on every exposed deployment.

Evidence notes

This debrief is based on the supplied CISA KEV entry plus the official CVE.org and NVD links. The KEV metadata states Grafana Labs/Grafana, labels the issue as a path traversal vulnerability, marks it as known exploited, and references Grafana's 2021-12-07 advisory in the notes. The supplied corpus does not include a CVSS score or detailed exploit mechanics.

Official resources