CVE-2026-21722
MEDIUMGrafana 9.3.0-12.3.1 - Unauthenticated Authorization Bypass via Public Dashboard
Title source: llmDescription
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.
References (2)
Core 2
Core References
Various Sources
https://grafana.com/security/security-advisories/CVE-2026-21722
Broken Link vendor-advisory
https://grafana.com/security/security-advisories/cve-2026-21722
Scores
CVSS v3
5.3
EPSS
0.0030
EPSS Percentile
21.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-863
CWE-200
Status
published
Products (13)
grafana/grafana
11.6.10
grafana/grafana
12.1.6
grafana/grafana
12.2.4
grafana/grafana
12.3.2
grafana/grafana
9.3.0 - 11.6.10
Grafana/grafana/grafana
12.0.0 - 12.1.6+security-01
Grafana/grafana/grafana
12.2.0 - 12.2.4+security-01
Grafana/grafana/grafana
12.3.0 - 12.3.2+security-01
Grafana/grafana/grafana
9.3.0 - 11.6.10+security-01
Grafana/grafana/grafana-enterprise
12.0.0 - 12.1.6+security-01
... and 3 more
Published
Feb 12, 2026
Tracked Since
Feb 18, 2026