CVE-2025-12141

MEDIUM

Grafana Alerting Editors can edit destination of webhooks they did not create

Title source: cna

Description

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.

References (1)

Core 1

Core References

https://grafana.com/security/security-advisories/cve-2025-12141/

Scores

CVSS v3 6.5

EPSS 0.0026

EPSS Percentile 16.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

grafana/grafana 8.0.0 - 12.3.0

Grafana/Grafana Alerting 8.0.0 - 12.3.0

Published Apr 15, 2026

Tracked Since Apr 15, 2026