{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21721", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-01-05T09:26:06.214Z", "datePublished": "2026-01-27T09:07:55.160Z", "dateUpdated": "2026-04-24T08:00:51.154Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-04-24T08:00:51.154Z"}, "datePublic": "2026-01-27T09:05:28.422Z", "title": "Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation", "descriptions": [{"lang": "en", "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation.", "supportingMedia": [{"type": "text/markdown", "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."}]}], "affected": [{"vendor": "Grafana", "product": "grafana/grafana", "defaultStatus": "unaffected", "versions": [{"version": "12.3.0", "status": "affected", "versionType": "semver", "lessThan": "12.3.1"}]}, {"vendor": "Grafana", "product": "grafana/grafana", "defaultStatus": "unaffected", "versions": [{"version": "12.2.0", "status": "affected", "versionType": "semver", "lessThan": "12.2.3"}]}, {"vendor": "Grafana", "product": "grafana/grafana", "defaultStatus": "unaffected", "versions": [{"version": "12.1.0", "status": "affected", "versionType": "semver", "lessThan": "12.1.5"}]}, {"vendor": "Grafana", "product": "grafana/grafana", "defaultStatus": "unaffected", "versions": [{"version": "12.0.0", "status": "affected", "versionType": "semver", "lessThan": "12.0.8"}]}, {"vendor": "Grafana", "product": "grafana/grafana", "defaultStatus": "unaffected", "versions": [{"version": "10.2.0", "status": "affected", "versionType": "semver", "lessThan": "11.6.9"}]}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "defaultStatus": "unaffected", "versions": [{"version": "10.2.0", "status": "affected", "versionType": "semver", "lessThan": "11.6.9"}]}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "defaultStatus": "unaffected", "versions": [{"version": "12.0.0", "status": "affected", "versionType": "semver", "lessThan": "12.0.8"}]}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "defaultStatus": "unaffected", "versions": [{"version": "12.1.0", "status": "affected", "versionType": "semver", "lessThan": "12.1.5"}]}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "defaultStatus": "unaffected", "versions": [{"version": "12.2.0", "status": "affected", "versionType": "semver", "lessThan": "12.2.3"}]}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "defaultStatus": "unaffected", "versions": [{"version": "12.3.0", "status": "affected", "versionType": "semver", "lessThan": "12.3.1"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21721", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-863", "lang": "en", "description": "CWE-863 Incorrect Authorization"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T04:55:19.556498Z", "id": "CVE-2026-21721", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T21:45:54.908Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21721", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T04:55:19.556498Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T15:26:51.354Z"}}], "cna": {"title": "Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}}], "affected": [{"vendor": "Grafana", "product": "grafana/grafana", "versions": [{"status": "affected", "version": "12.3.0", "lessThan": "12.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana", "versions": [{"status": "affected", "version": "12.2.0", "lessThan": "12.2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana", "versions": [{"status": "affected", "version": "12.1.0", "lessThan": "12.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana", "versions": [{"status": "affected", "version": "12.0.0", "lessThan": "12.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana", "versions": [{"status": "affected", "version": "10.2.0", "lessThan": "11.6.9", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "versions": [{"status": "affected", "version": "10.2.0", "lessThan": "11.6.9", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "versions": [{"status": "affected", "version": "12.0.0", "lessThan": "12.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "versions": [{"status": "affected", "version": "12.1.0", "lessThan": "12.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "versions": [{"status": "affected", "version": "12.2.0", "lessThan": "12.2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "versions": [{"status": "affected", "version": "12.3.0", "lessThan": "12.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-01-27T09:05:28.422Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21721", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation.", "supportingMedia": [{"type": "text/markdown", "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-04-24T08:00:51.154Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21721", "state": "PUBLISHED", "dateUpdated": "2026-04-24T08:00:51.154Z", "dateReserved": "2026-01-05T09:26:06.214Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-01-27T09:07:55.160Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F6E2185-5D9B-4519-BFE1-363489FDE5C5", "versionEndExcluding": "11.6.9", "versionStartIncluding": "10.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "0800CF3F-6B22-4AC9-B7A5-88F00162D7CF", "versionEndExcluding": "12.0.8", "versionStartIncluding": "12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "B74E6E97-D985-4F8E-BFE9-DD40D99995D8", "versionEndExcluding": "12.1.5", "versionStartIncluding": "12.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "FCC333B0-9BDE-4A2D-9648-C8017242DDC7", "versionEndExcluding": "12.2.3", "versionStartIncluding": "12.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:11.6.9:-:*:*:*:*:*:*", "matchCriteriaId": "75C49C18-902A-447E-97F3-2679BD19B517", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:12.0.8:-:*:*:*:*:*:*", "matchCriteriaId": "63A1D7CB-4839-4706-AB16-0D1609B62C1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:12.1.5:-:*:*:*:*:*:*", "matchCriteriaId": "FCEFE43C-35EA-4163-A184-6FE2FF14B2BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:12.2.3:-:*:*:*:*:*:*", "matchCriteriaId": "D5613D06-3180-477D-9272-CAF86A6D764D", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:12.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D0226F9E-7B57-4F41-BC7D-234F17628970", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:12.3.1:-:*:*:*:*:*:*", "matchCriteriaId": "B7B29640-D0AE-4B99-95F8-B1D84E3A17AA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."}, {"lang": "es", "value": "La API de permisos del panel no verifica el alcance del panel de destino y solo comprueba la acci\u00f3n dashboards.permissions:*. Como resultado, un usuario que tiene derechos de gesti\u00f3n de permisos en un panel puede leer y modificar permisos en otros paneles. Esto es una escalada de privilegios interna de la organizaci\u00f3n."}], "id": "CVE-2026-21721", "lastModified": "2026-04-20T17:28:19.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-01-27T09:15:48.640", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2026-21721"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation", "id": "2433242", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433242"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-639", "details": ["The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21721", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhel8/grafana", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhel9/grafana", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "rhel8/grafana", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "rhel9/grafana", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Affected", "package_name": "rhel8/grafana", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Affected", "package_name": "rhel9/grafana", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-27T09:07:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21721\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21721\nhttps://grafana.com/security/security-advisories/CVE-2026-21721"], "threat_severity": "Important"}