PatchSiren cyber security CVE debrief
CVE-2026-21721 Grafana CVE debrief
CVE-2026-21721 is a HIGH-severity vulnerability in Grafana's dashboard permissions API. The API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. This oversight allows a user who has permission management rights on one dashboard to read and modify permissions on other dashboards. This is considered an organization-internal privilege escalation. The vulnerability has a CVSS score of 8.1 and is tracked by Grafana and multiple sources including NVD and Red Hat.
- Vendor
- Grafana
- Product
- grafana/grafana
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-27
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-27
- Advisory updated
- 2026-06-30
Who should care
Grafana users and administrators should be aware of this vulnerability, especially those with multi-dashboard management permissions. Security teams monitoring Grafana deployments should prioritize patching or mitigating this issue to prevent potential privilege escalation attacks within their organizations.
Technical summary
The CVE-2026-21721 vulnerability exists in Grafana's dashboard permissions API. The API fails to validate the target dashboard scope properly, only checking if the user has the dashboards.permissions:* action. This allows users with permission management rights on one dashboard to escalate their privileges and read or modify permissions on other dashboards. The vulnerability is rated HIGH with a CVSS score of 8.1. Affected versions include Grafana 10.2.0 to 11.6.9, 12.0.0 to 12.0.8, 12.1.0 to 12.1.5, and 12.2.0 to 12.2.3. Patched versions include 11.6.9, 12.0.8, 12.1.5, and 12.2.3, as well as 12.3.0 and later.
Defensive priority
This HIGH-severity vulnerability requires immediate attention from Grafana administrators. Users with dashboard permission management rights could potentially exploit this issue to escalate privileges and gain unauthorized access to sensitive information across different dashboards.
Recommended defensive actions
- Apply patches or updates provided by Grafana to address CVE-2026-21721.
- Review and restrict dashboard permission management rights to only necessary personnel.
- Monitor dashboard access and permission changes for suspicious activity.
- Implement additional logging and auditing for dashboard modifications.
- Consider temporarily restricting access to the dashboard permissions API until patched.
Evidence notes
The CVE-2026-21721 vulnerability was published on January 27, 2026, and last modified on June 30, 2026. It was tracked by multiple sources including NVD, Grafana, and Red Hat. The vulnerability affects various versions of Grafana, with patches available for versions 11.6.9, 12.0.8, 12.1.5, 12.2.3, and 12.3.0 or later.
Official resources
-
CVE-2026-21721 CVE record
CVE.org
-
CVE-2026-21721 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.