pkg:Bitnami/grafana

97 total CVEsCRITICAL9HIGH24MEDIUM58LOW4

✅ Check your installed version

All known vulnerabilities

  • HIGH7.5CVE-2021-43798⚠ KEVGrafana path traversal
    >= 8.0.1, < 8.0.7, >= 8.1.0, < 8.1.8, >= 8.2.0, < 8.2.7, >= 8.3.0, < 8.3.1
  • HIGH7.3CVE-2021-39226⚠ KEVAuthentication bypass for viewing and deletions of snapshots
    from 0, < 7.5.11, >= 8.0.0, < 8.1.6
  • CRITICAL10.0CVE-2025-41115Grafana Incorrect Privilege Assignment vulnerability in github.com/grafana/grafana
    >= 12.0.0, < 12.2.1
  • CRITICAL9.9CVE-2024-9264Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana
    >= 11.0.0, < 11.2.2
  • CRITICAL9.8CVE-2022-39328Grafana vulnerable to race condition allowing privilege escalation
    >= 9.2.0, < 9.2.4
  • CRITICAL9.8CVE-2022-26148An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix.
    from 0, < 7.3.5
  • CRITICAL9.8CVE-2022-28660The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is use…
    >= 1.1.0, < 1.2.1 | >= 1.3.0, <= 1.3.0
  • CRITICAL9.8CVE-2020-27846XML Processing error in github.com/crewjam/saml
    from 0, < 6.7.5, >= 7.0.0, < 7.2.3, >= 7.3.0, < 7.3.6
  • CRITICAL9.4CVE-2023-3128Grafana vulnerable to Authentication Bypass by Spoofing
    >= 6.7.0, < 8.5.27, >= 9.2.0, < 9.2.20, >= 9.3.0, < 9.3.16, >= 9.4.0, < 9.4.13, >= 9.5.0, < 9.5.4
  • CRITICAL9.1CVE-2026-27876RCE on Grafana via sqlExpressions
    >= 11.6.0, < 11.6.14, >= 12.0.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
  • CRITICAL9.1CVE-2021-41244Grafana Fine-grained access control vulnerability
    >= 8.0.0, < 8.2.4
  • HIGH8.8CVE-2022-23498When query caching is enabled in Grafana users can query another users session
    >= 8.3.1, < 9.2.10, >= 9.3.0, < 9.3.4
  • HIGH8.8CVE-2022-24812FGAC API Key privilege escalation in Grafana
    >= 8.1.0, < 8.4.6
  • HIGH8.5CVE-2022-29170Grafana Enterprise datasource network restrictions bypass via HTTP redirects
    >= 7.4.0, < 7.5.16, >= 8.0.0, < 8.5.3
  • HIGH8.3CVE-2025-3260Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana
    >= 11.6.0, < 11.6.1
  • HIGH8.2CVE-2021-27358Denial of service in Grafana
    >= 6.7.3, < 7.4.2
  • HIGH8.1CVE-2026-21721Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
    >= 10.2.0, < 11.6.9, >= 12.0.0, < 12.0.8, >= 12.1.0, < 12.1.5, >= 12.2.0, < 12.2.3, >= 12.3.0, < 12.3.1
  • HIGH7.6CVE-2025-6023Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana
    >= 11.3.0, < 11.6.3, >= 12.0.0, < 12.0.2
  • HIGH7.6CVE-2025-4123Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
    from 0, < 10.4.18, >= 11.0.0, < 11.6.1, >= 12.0.0, < 12.0.0
  • HIGH7.6CVE-2022-36062Grafana folders admin only permission privilege escalation in github.com/grafana/grafana
    from 0, < 8.5.13, >= 9.0.0, < 9.0.9, >= 9.1.0, < 9.1.6
  • HIGH7.5CVE-2026-27880OpenFeature evaluation API reads input data with no bounds
    >= 12.1.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
  • HIGH7.5CVE-2026-21720Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
    >= 3.0.0, < 11.6.9, >= 12.0.0, < 12.0.8, >= 12.1.0, < 12.1.5, >= 12.2.0, < 12.2.3, >= 12.3.0, < 12.3.1
  • HIGH7.5CVE-2021-28148One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessibl…
    >= 6.0.0, < 6.7.6, >= 7.0.0, < 7.3.10, >= 7.4.0, < 7.4.5
  • HIGH7.5CVE-2022-32275Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/..
    >= 8.4.3, < 8.4.4
  • HIGH7.5CVE-2022-32276Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI.
    >= 8.4.3, < 8.4.4
  • HIGH7.5CVE-2023-1387Grafana is an open-source platform for monitoring and observability.
    >= 9.1.0, < 9.2.17, >= 9.3.0, < 9.3.13, >= 9.4.0, < 9.4.9
  • HIGH7.5CVE-2023-2801Grafana Missing Synchronization vulnerability
    >= 9.4.0, < 9.4.12, >= 9.5.0, < 9.5.3
  • HIGH7.4CVE-2026-33376Auth Proxy IPv6 whitelist bypass
    >= 9.4.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
  • HIGH7.3CVE-2022-31097Stored XSS in Grafana's Unified Alerting
    >= 8.0.0, < 8.3.10, >= 8.4.0, < 8.4.10, >= 8.5.0, < 8.5.9, >= 9.0.0, < 9.0.3
  • HIGH7.2CVE-2023-4399Grafana is an open-source platform for monitoring and observability.
    >= 9.4.0, < 9.4.17, >= 9.5.0, < 9.5.13, >= 10.0.0, < 10.0.9, >= 10.1.0, < 10.1.5
  • HIGH7.1CVE-2026-33377Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin
    >= 8.5.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
  • HIGH7.1CVE-2022-31107Grafana account takeover via OAuth vulnerability
    >= 5.3.0, < 8.3.10, >= 8.4.0, < 8.4.10, >= 8.5.0, < 8.5.9, >= 9.0.0, < 9.0.3
  • HIGH7.1CVE-2021-27962Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a…
    >= 7.2.0, < 7.3.10, >= 7.4.0, < 7.4.5
  • MEDIUM6.9CVE-2021-41174XSS vulnerability allowing arbitrary JavaScript execution
    >= 8.0.0, < 8.2.3
  • MEDIUM6.8CVE-2025-41117XSS in Grafana Explore stack trace
    >= 12.2.0, < 12.2.4, >= 12.3.0, < 12.3.2
  • MEDIUM6.8CVE-2025-2703The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability.
    >= 11.2.0, < 11.5.3, >= 11.6.0, < 11.6.0
  • MEDIUM6.8CVE-2022-39201Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
    >= 5.0.1, < 8.5.14, >= 9.0.0, < 9.1.8
  • MEDIUM6.8CVE-2022-21702Cross site scripting in Grafana proxy
    >= 2.0.1, < 7.5.15, >= 8.0.0, < 8.3.5
  • MEDIUM6.8CVE-2022-21703Cross Site Request Forgery in Grafana
    >= 3.0.1, < 7.5.15, >= 8.0.0, < 8.3.5
  • MEDIUM6.7CVE-2022-39307Grafana User enumeration via forget password in github.com/grafana/grafana
    from 0, < 8.5.15, >= 9.0.0, < 9.2.4
  • MEDIUM6.7CVE-2022-39324Grafana Spoofing originalUrl of snapshots
    from 0, < 8.5.16, >= 9.0.0, < 9.2.8
  • MEDIUM6.7CVE-2023-4822Grafana privilege escalation vulnerability
    >= 8.0.0, < 9.4.16, >= 9.5.0, < 9.5.11, >= 10.0.0, < 10.0.7, >= 10.1.0, < 10.1.3 | >= 10.1.4, <= 10.1.4
  • MEDIUM6.6CVE-2022-35957Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana
    from 0, < 8.5.13, >= 9.0.0, < 9.0.9, >= 9.1.0, < 9.1.6
  • MEDIUM6.5CVE-2026-33378Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro
    >= 8.0.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
  • MEDIUM6.5CVE-2026-28383Grafana plugin resources can lead to unbounded memory allocation
    >= 6.7.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
  • MEDIUM6.5CVE-2026-28380BAC in Snapshot API allows deletion of unauthorized dashboard snapshots
    >= 9.4.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
  • MEDIUM6.5CVE-2026-28379Viewer-triggered race condition in Grafana Live leads to complete server crash
    >= 8.2.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
  • MEDIUM6.5CVE-2026-28376Grafana Live push endpoint allows unbounded memory allocation leading to OOM
    >= 8.0.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
  • MEDIUM6.5CVE-2026-33375Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS
    >= 11.6.0, < 11.6.14, >= 12.1.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
  • MEDIUM6.5CVE-2026-28375Grafana Testdata datasource can issue unbounded memory allocations
    >= 8.1.0, < 11.6.14, >= 12.0.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
  • MEDIUM6.5CVE-2026-27879Query resampling can cause unbounded memory allocations
    >= 8.0.0, < 11.6.14, >= 12.0.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
  • MEDIUM6.5CVE-2026-27877Grafana public dashboards disclose all direct mode datasources
    >= 9.3.0, < 11.6.14, >= 12.0.0, < 12.1.10, >= 12.2.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.2
  • MEDIUM6.5CVE-2024-1313Users outside an organization can delete a snapshot with its key
    >= 9.5.0, < 9.5.18, >= 10.0.0, < 10.0.13, >= 10.1.0, < 10.1.9, >= 10.2.0, < 10.2.6, >= 10.3.0, < 10.3.5
  • MEDIUM6.5CVE-2021-28146The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue.
    >= 7.4.0, < 7.4.5
  • MEDIUM6.5CVE-2021-28147The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control is…
    >= 6.0.0, < 6.7.6, >= 7.0.0, < 7.3.10, >= 7.4.0, < 7.4.5
  • MEDIUM6.4CVE-2022-39306Grafana contains Improper Input Validation
    >= 8.0.0, < 8.5.15, >= 9.0.0, < 9.2.4
  • MEDIUM6.4CVE-2023-22462Stored XSS in Grafana Text plugin
    >= 9.2.0, < 9.2.10, >= 9.3.0, < 9.3.4
  • MEDIUM6.3CVE-2026-33380SQL Expressions Read File From Disk
    >= 11.6.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
  • MEDIUM6.2CVE-2023-1410Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip
    >= 8.0.0, < 8.5.22, >= 9.2.0, < 9.2.15, >= 9.3.0, < 9.3.11
  • MEDIUM6.1CVE-2022-31123Grafana Plugin signature bypass in github.com/grafana/grafana
    >= 7.0.0, < 8.5.14, >= 9.0.0, < 9.1.8
  • MEDIUM6.1CVE-2020-12052Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
    from 0, < 6.7.3
  • MEDIUM6.1CVE-2020-24303Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana
    from 0, < 7.0.6
  • MEDIUM6.1CVE-2020-13430Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana
    from 0, < 7.0.0
  • MEDIUM6.1CVE-2020-12245Grafana XSS in header column rename in github.com/grafana/grafana
    from 0, < 6.7.3
  • MEDIUM6.0CVE-2024-1442Grafana's users with permissions to create a data source can CRUD all data sources
    >= 8.5.0, < 9.5.7, >= 10.0.0, < 10.0.12, >= 10.1.0, < 10.1.8, >= 10.2.0, < 10.2.5, >= 10.3.0, < 10.3.4
  • MEDIUM5.9CVE-2026-33381Users can generate Service Account tokens after permissions removal
    >= 9.2.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
  • MEDIUM5.8CVE-2020-13379Server Side Request Forgery in Grafana
    >= 3.0.1, < 7.0.2
  • MEDIUM5.5CVE-2025-3580An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server admin…
    >= 10.4.18, < 10.4.19, >= 11.2.9, < 11.2.10, >= 11.3.6, < 11.3.7, >= 11.4.4, < 11.4.5, >= 11.5.4, < 11.5.5, >= 11.6.1, < 11.6.2, >= 12.0.0, < 12.0.1
  • MEDIUM5.5CVE-2020-12458Grafana information disclosure in github.com/grafana/grafana
    from 0, < 6.7.4
  • MEDIUM5.5CVE-2020-12459Grafana world readable configuration files
    >= 6.0.0, < 6.3.7
  • MEDIUM5.4CVE-2026-21724Missing Protected-field Authorization in Provisioning Contact Points API
    >= 11.6.9, < 11.6.14, >= 12.1.5, < 12.1.10, >= 12.2.2, < 12.2.8, >= 12.3.1, < 12.3.6
  • MEDIUM5.4CVE-2022-23552Grafana stored XSS in FileUploader component
    >= 8.1.0, < 8.5.16, >= 9.0.0, < 9.2.10, >= 9.3.0, < 9.3.4
  • MEDIUM5.4CVE-2023-6152Email Validation Bypass And Preventing Sign Up From Email's Owner
    >= 2.5.0, < 9.5.16, >= 10.0.0, < 10.0.11, >= 10.1.0, < 10.1.7, >= 10.2.0, < 10.2.4, >= 10.3.0, < 10.3.3
  • MEDIUM5.4CVE-2023-0594Grafana vulnerable to Cross-site Scripting
    >= 7.0.0, < 8.5.21, >= 9.2.0, < 9.2.13, >= 9.3.0, < 9.3.8
  • MEDIUM5.4CVE-2023-0507Grafana vulnerable to Cross-site Scripting
    >= 8.1.0, < 8.5.21, >= 9.2.0, < 9.2.13, >= 9.3.0, < 9.3.8
  • MEDIUM5.4CVE-2020-11110Grafana stored XSS in github.com/grafana/grafana
    from 0, < 6.7.2
  • MEDIUM5.3CVE-2026-21722Public Dashboards time range restriction on annotations can be bypassed
    >= 9.3.0, < 11.6.10, >= 12.0.0, < 12.1.6, >= 12.2.0, < 12.2.4, >= 12.3.0, < 12.3.2
  • MEDIUM5.3CVE-2023-5122SSRF in CSV Datasource Plugin
    from 0, < 0.6.13
  • MEDIUM5.0CVE-2025-3454Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana
    >= 10.4.0, < 10.4.17, >= 11.2.0, < 11.5.3, >= 11.6.0, < 11.6.0
  • MEDIUM4.9CVE-2022-31130Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
    from 0, < 8.5.14, >= 9.0.0, < 9.1.8
  • MEDIUM4.4CVE-2024-6322Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana
    >= 11.1.0, < 11.1.3
  • MEDIUM4.3CVE-2026-28374IDOR in Annotations API allows unprivileged users to DELETE annotation
    >= 8.5.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
  • MEDIUM4.3CVE-2025-3415Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana
    >= 10.4.0, < 10.4.19, >= 11.2.0, < 11.6.2, >= 12.0.0, < 12.0.1
  • MEDIUM4.3CVE-2024-11741Grafana Alerting VictorOps integration could be exposed to users with Viewer permission
    >= 10.4.0, < 10.4.15, >= 11.1.0, < 11.5.0
  • MEDIUM4.3CVE-2022-39229Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana
    from 0, < 8.5.14, >= 9.0.0, < 9.1.8
  • MEDIUM4.3CVE-2022-21713Exposure of Sensitive Information in Grafana
    >= 5.0.0, < 7.5.15, >= 8.0.0, < 8.3.5
  • MEDIUM4.3CVE-2021-43815Grafana directory traversal for .cvs files
    from 0, < 7.5.12, >= 8.0.0, < 8.3.2
  • MEDIUM4.3CVE-2021-43813Directory Traversal in Grafana
    >= 5.0.0, < 7.5.12, >= 8.0.0, < 8.3.2
  • MEDIUM4.3CVE-2022-21673OAuth Identity Token exposure in Grafana
    >= 7.2.0, < 7.5.13, >= 8.0.0, < 8.3.4
  • MEDIUM4.2CVE-2025-6197An open redirect vulnerability has been identified in Grafana OSS organization switching functionality.
    >= 11.3.0, < 11.6.3, >= 12.0.0, < 12.0.2
  • MEDIUM4.1CVE-2023-2183Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
    >= 8.0.0, < 8.5.26, >= 9.0.0, < 9.2.19, >= 9.3.0, < 9.3.15, >= 9.4.0, < 9.4.12, >= 9.5.0, < 9.5.3
  • LOW3.3CVE-2026-21727Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
    from 0, < 11.6.11, >= 12.0.0, < 12.0.9, >= 12.1.0, < 12.1.6, >= 12.2.0, < 12.2.4, >= 12.3.0, < 12.3.3
  • LOW2.7CVE-2025-1088Grafana long dashboard title or panel name causes unresponsives in github.com/grafana/grafana
    from 0, < 11.6.2
  • LOW2.2CVE-2024-10452Grafana org admin can delete pending invites in different org in github.com/grafana/grafana
    from 0, < 10.4.13, >= 11.0.0, < 11.4.0
  • LOW2.0CVE-2026-21725Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name
    >= 11.0.0, < 12.4.1
  • CVE-2025-12141Grafana Alerting Editors can edit destination of webhooks they did not create
    >= 8.0.0, < 12.3.1
  • CVE-2024-8118Grafana alerting wrong permission on datasource rule write endpoint
    >= 8.5.0, < 10.4.9, >= 11.0.0, < 11.2.1