PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-21721 Grafana CVE debrief

CVE-2026-21721 is a HIGH-severity vulnerability in Grafana's dashboard permissions API. The API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. This oversight allows a user who has permission management rights on one dashboard to read and modify permissions on other dashboards. This is considered an organization-internal privilege escalation. The vulnerability has a CVSS score of 8.1 and is tracked by Grafana and multiple sources including NVD and Red Hat.

Vendor
Grafana
Product
grafana/grafana
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-27
Original CVE updated
2026-06-30
Advisory published
2026-01-27
Advisory updated
2026-06-30

Who should care

Grafana users and administrators should be aware of this vulnerability, especially those with multi-dashboard management permissions. Security teams monitoring Grafana deployments should prioritize patching or mitigating this issue to prevent potential privilege escalation attacks within their organizations.

Technical summary

The CVE-2026-21721 vulnerability exists in Grafana's dashboard permissions API. The API fails to validate the target dashboard scope properly, only checking if the user has the dashboards.permissions:* action. This allows users with permission management rights on one dashboard to escalate their privileges and read or modify permissions on other dashboards. The vulnerability is rated HIGH with a CVSS score of 8.1. Affected versions include Grafana 10.2.0 to 11.6.9, 12.0.0 to 12.0.8, 12.1.0 to 12.1.5, and 12.2.0 to 12.2.3. Patched versions include 11.6.9, 12.0.8, 12.1.5, and 12.2.3, as well as 12.3.0 and later.

Defensive priority

This HIGH-severity vulnerability requires immediate attention from Grafana administrators. Users with dashboard permission management rights could potentially exploit this issue to escalate privileges and gain unauthorized access to sensitive information across different dashboards.

Recommended defensive actions

  • Apply patches or updates provided by Grafana to address CVE-2026-21721.
  • Review and restrict dashboard permission management rights to only necessary personnel.
  • Monitor dashboard access and permission changes for suspicious activity.
  • Implement additional logging and auditing for dashboard modifications.
  • Consider temporarily restricting access to the dashboard permissions API until patched.

Evidence notes

The CVE-2026-21721 vulnerability was published on January 27, 2026, and last modified on June 30, 2026. It was tracked by multiple sources including NVD, Grafana, and Red Hat. The vulnerability affects various versions of Grafana, with patches available for versions 11.6.9, 12.0.8, 12.1.5, 12.2.3, and 12.3.0 or later.

Official resources

This article was generated with AI assistance based on the supplied source corpus.