🔐 CVE Alert

CVE-2026-21721

HIGH 8.1

Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
2th

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

Vendor grafana
Product grafana/grafana
Ecosystems
Industries
Technology
Published Jan 27, 2026
Last Updated Apr 15, 2026
Stay Ahead of the Next One

Get instant alerts for grafana grafana/grafana

Be the first to know when new high vulnerabilities affecting grafana grafana/grafana are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

Grafana / grafana/grafana
12.3.0 < 12.3.1
Grafana / grafana/grafana
12.2.0 < 12.2.3
Grafana / grafana/grafana
12.1.0 < 12.1.5
Grafana / grafana/grafana
12.0.0 < 12.0.8
Grafana / grafana/grafana
10.2.0 < 11.6.9
Grafana / grafana/grafana-enterprise
10.2.0 < 11.6.9
Grafana / grafana/grafana-enterprise
12.0.0 < 12.0.8
Grafana / grafana/grafana-enterprise
12.1.0 < 12.1.5
Grafana / grafana/grafana-enterprise
12.2.0 < 12.2.3
Grafana / grafana/grafana-enterprise
12.3.0 < 12.3.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗
grafana.com: https://grafana.com/security/security-advisories/cve-2026-21721