HarborGuard / CVE
Back to search
HIGHCVE-2026-21721Published Modified CNA GRAFANA

CVE-2026-21721: Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
11.6.9
Affected Products
10

Fix available

11.6.912.0.812.1.512.2.312.3.1
Affected packages
  • Grafana / grafana/grafana
    < 12.3.1 (from 12.3.0)
  • Grafana / grafana/grafana
    < 12.2.3 (from 12.2.0)
  • Grafana / grafana/grafana
    < 12.1.5 (from 12.1.0)
  • Grafana / grafana/grafana
    < 12.0.8 (from 12.0.0)
  • Grafana / grafana/grafana
    < 11.6.9 (from 10.2.0)
  • Grafana / grafana/grafana-enterprise
    < 11.6.9 (from 10.2.0)
  • Grafana / grafana/grafana-enterprise
    < 12.0.8 (from 12.0.0)
  • Grafana / grafana/grafana-enterprise
    < 12.1.5 (from 12.1.0)
  • Grafana / grafana/grafana-enterprise
    < 12.2.3 (from 12.2.0)
  • Grafana / grafana/grafana-enterprise
    < 12.3.1 (from 12.3.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References