CVE-2026-27877

MEDIUM 6.5

Public dashboards discloses all direct mode datasources

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

2th

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

Vendor	grafana
Product	grafana
Ecosystems	Monitoring DevTools
Industries	Technology
Published	Mar 27, 2026
Last Updated	Apr 15, 2026

Stay Ahead of the Next One

Get instant alerts for grafana grafana

Be the first to know when new medium vulnerabilities affecting grafana grafana are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Grafana / Grafana

9.3.0 < 11.6.14 12.0.0 < 12.1.10 12.2.0 < 12.2.8 12.3.0 < 12.3.6 12.4.0 < 12.4.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

grafana.com: https://grafana.com/security/security-advisories/cve-2026-27877