CVE-2025-12141

UNKNOWN 0.0

Grafana Alerting Editors can edit destination of webhooks they did not create

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.

CWE	CWE-200
Vendor	grafana
Product	grafana alerting
Ecosystems	Monitoring DevTools
Industries	Technology
Published	Apr 15, 2026
Last Updated	Apr 15, 2026

Stay Ahead of the Next One

Get instant alerts for grafana grafana alerting

Be the first to know when new unknown vulnerabilities affecting grafana grafana alerting are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Grafana / Grafana Alerting

8.0.0 ≤ 12.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

grafana.com: https://grafana.com/security/security-advisories/cve-2025-12141/