CVE-2026-21724

MEDIUM

Missing Protected-field Authorization in Provisioning Contact Points API

Title source: cna

Description

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

References (1)

[Vendor Advisory] https://grafana.com/security/security-advisories/cve-2026-21724

Scores

CVSS v3 5.4

EPSS 0.0001

EPSS Percentile 2.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (6)

grafana/grafana 0 - 1.9.2-0.20260323180334-daffe750de85Go

grafana/grafana 11.6.9 - 11.6.14

Grafana/Grafana OSS 11.6.9 - 11.6.14

Grafana/Grafana OSS 12.1.5 - 12.1.10

Grafana/Grafana OSS 12.2.2 - 12.2.8

Grafana/Grafana OSS 12.3.1 - 12.3.6

Published Mar 26, 2026

Tracked Since Mar 27, 2026