CVE-2026-21722 (GCVE-0-2026-21722)
Vulnerability from cvelistv5
Published
2026-02-12 08:49
Modified
2026-04-15 19:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.
This did not leak any annotations that would not otherwise be visible on the public dashboard.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana |
Version: 9.3.0 ≤ Version: 12.0.0 ≤ Version: 12.2.0 ≤ Version: 12.3.0 ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T14:24:06.337064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T14:01:13.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.10+security-01",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.6+security-01",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.10+security-01",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.6+security-01",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-12T07:13:06.000Z",
"descriptions": [
{
"lang": "en",
"value": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T19:25:06.746Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21722"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Public Dashboards time range restriction on annotations can be bypassed",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21722",
"datePublished": "2026-02-12T08:49:05.678Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-15T19:25:06.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-21722\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-12T14:24:06.337064Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-12T14:24:11.898Z\"}}], \"cna\": {\"title\": \"Public Dashboards time range restriction on annotations can be bypassed\", \"source\": {\"discovery\": \"BUG_BOUNTY\"}, \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"}}], \"affected\": [{\"vendor\": \"Grafana\", \"product\": \"grafana/grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.3.0\", \"lessThan\": \"11.6.10+security-01\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.0.0\", \"lessThan\": \"12.1.6+security-01\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.2.0\", \"lessThan\": \"12.2.4+security-01\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.3.0\", \"lessThan\": \"12.3.2+security-01\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Grafana\", \"product\": \"grafana/grafana-enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.3.0\", \"lessThan\": \"11.6.10+security-01\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.0.0\", \"lessThan\": \"12.1.6+security-01\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.2.0\", \"lessThan\": \"12.2.4+security-01\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.3.0\", \"lessThan\": \"12.3.2+security-01\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-02-12T07:13:06.000Z\", \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2026-21722\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\\n\\nThis did not leak any annotations that would not otherwise be visible on the public dashboard.\"}], \"providerMetadata\": {\"orgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"shortName\": \"GRAFANA\", \"dateUpdated\": \"2026-04-15T19:25:06.746Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-21722\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-15T19:25:06.746Z\", \"dateReserved\": \"2026-01-05T09:26:06.214Z\", \"assignerOrgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"datePublished\": \"2026-02-12T08:49:05.678Z\", \"assignerShortName\": \"GRAFANA\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…