PatchSiren cyber security CVE debrief
CVE-2026-21725 Grafana CVE debrief
CVE-2026-21725 describes a race-condition/TOCTOU issue in Grafana datasource deletion handling. Under a very narrow set of conditions, an attacker who previously had admin access to a datasource can delete it, wait for someone else to recreate it with the same UID, and then delete the recreated datasource without having admin rights on the new object. The practical risk is limited by several gating conditions called out in the CVE data: the attack must happen within 30 seconds, on the same Grafana pod, and only against the same datasource UID. NVD classifies the issue as a low-severity availability problem with no confidentiality or integrity impact in the supplied metadata.
- Vendor
- Grafana
- Product
- CVE-2026-21725
- CVSS
- LOW 2.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-25
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-02-25
- Advisory updated
- 2026-05-10
Who should care
Grafana administrators, SREs, and security teams running affected Grafana Enterprise versions should pay attention, especially where datasource deletion permissions are operationally sensitive or where admin access is broadly delegated.
Technical summary
The issue is a TOCTOU flaw (CWE-367) in datasource deletion logic. NVD metadata lists the vulnerable Grafana Enterprise CPE range as versions 11.0.0 through 12.4.0, excluding 12.4.1. The supplied CVE description says the attacker must have been an admin for the datasource before the first deletion, must act within 30 seconds on the same pod, and can only affect a recreated datasource that reuses the same UID. The NVD CVSS vector is AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L, indicating limited availability impact and requiring some privileges plus user interaction.
Defensive priority
Low to moderate. Patch promptly, but this is not a broad exploitation scenario; it is a highly constrained authorization/race condition affecting a specific deletion workflow.
Recommended defensive actions
- Upgrade Grafana Enterprise to a version outside the vulnerable range; NVD lists 11.0.0 through 12.4.0 as affected, with 12.4.1 excluded.
- Restrict datasource admin and delete permissions to the smallest practical set of users.
- Review operational workflows that delete and recreate datasources, especially where UID reuse could occur.
- Monitor audit logs for rapid delete/recreate sequences involving the same datasource UID.
- Use the Grafana vendor advisory to confirm fixed versions and any product-specific remediation guidance.
Evidence notes
This debrief is based on the supplied CVE description, which states the same-pod, 30-second, same-UID, delete-then-recreate conditions. NVD metadata provides the CVSS 3.1 vector AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L and CWE-367, and it lists the affected Grafana Enterprise range as 11.0.0 through 12.4.0 (12.4.1 excluded). The official Grafana advisory linked by NVD is the primary vendor reference for remediation context.
Official resources
-
CVE-2026-21725 CVE record
CVE.org
-
CVE-2026-21725 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE published 2026-02-25 and modified 2026-05-10.