CVE-2022-26148

CRITICAL NUCLEI

Grafana & Zabbix Integration - Credentials Disclosure

Title source: nuclei

Exploitation Summary

CVE-2022-26148 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.

Nuclei Templates (1)

Grafana & Zabbix Integration - Credentials Disclosure

CRITICALby Geekby

Shodan: title:"Grafana" || cpe:"cpe:2.3:a:grafana:grafana" || http.title:"grafana"

FOFA: app="Grafana" || title="grafana" || app="grafana"

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://2k8.org/post-319.html

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20220425-0005/

Scores

CVSS v3 9.8

EPSS 0.5344

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-312

Status published

Products (5)

grafana/grafana < 7.3.4

redhat/ceph_storage 3.0

redhat/ceph_storage 4.0

redhat/ceph_storage 5.0

redhat/storage 3.0

Published Mar 21, 2022

Tracked Since Feb 18, 2026