Today we are releasing security patches for Grafana 11.6.0, 11.5.3, 11.4.3, 11.3.5, 11.2.8, and 10.4.17. These patch releases include a high severity fix for CVE-2025-3260 and medium severity fixes for CVE-2025-2703 and CVE-2025-3454.
- Download Grafana 11.6.0+security-01
- Download Grafana 11.5.3+security-01
- Download Grafana 11.4.3+security-01
- Download Grafana 11.3.5+security-01
- Download Grafana 11.2.8+security-01
- Download Grafana 10.4.17+security-01
If you are currently running Grafana OSS or Grafana Enterprise, please update to one of the above security releases to address all the vulnerabilities described below. While all of these releases are patched, we generally recommend that you choose the one that corresponds to your current version or branch (for example, 11.4.x, 11.5.x, and so on).
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.
Bypass Viewer and Editor permissions (CVE-2025-3260)
Summary
During the development of a new feature in Grafana 11.6.x, a security vulnerability was introduced that allows for Viewers and Editors to bypass dashboard-specific permissions. As a result, users with the Viewer role could view all the dashboards within their org and users with the Editor role could view, edit, and delete all the dashboards in their org.
Note: Organization isolation boundaries still apply, which means viewers and editors in one organization cannot view or edit dashboards in another org. Also this vulnerability does not allow users to query data via data sources they don’t have access to.
The CVSS score for this vulnerability is 8.3 HIGH.
Impact
In developing the new /apis/dashboard.grafana.app/* endpoints for Grafana 11.6.x, a security vulnerability was introduced that allows Viewers and Editors to bypass permissions for dashboards and folders.
As a result:
- Users with the Viewer role can view all the dashboards within their org, even if they don’t have permissions to view those dashboards.
- Users with the Editor role can view, edit, or delete all the dashboards within their org, even if they don’t have permissions to view, edit, or delete those dashboards.
The vulnerability also applies to instances with anonymous authentication.
- When anonymous authentication is configured with a Viewer role, anonymous users will be able to view all dashboards.
- When anonymous authentication is configured with an Editor role, anonymous users will be able to create, edit, or delete all dashboards.
Impacted versions
>= Grafana 11.6.0
Solutions and mitigations
To fully address CVE-2025-3260, please upgrade your Grafana instances.
The alternative is to put network policies in place that would block all inbound traffic to
/apis/dashboard.grafana.app/v0alpha1/apis/dashboard.grafana.app/v1alpha1/apis/dashboard.grafana.app/v2alpha1
Note: Because Grafana is capable of issuing requests via data sources, the data source proxy, and various other features, these policies must be robust enough to block requests coming from localhost.
Timeline and post-incident review
Here is a detailed incident timeline starting from when we originally introduced the issue. All times are in UTC.
- 2025-01-15 Faulty dashboard permission evaluation logic is introduced in Grafana.
- 2025-02-21 Another faulty dashboard permission evaluation logic is introduced in Grafana.
- 2025-04-04 4:21 - Internal incident declared.
- 2025-04-04 9:06 - CVE-2025-3260 reserved.
- 2025-04-04 9:21 - We introduced a patch for Grafana Cloud.
- 2025-04-04 23:11 - We concluded that no one exploited the vulnerability in Grafana Cloud.
- 2025-04-08 8:14 - Private release.
- 2025-04-22 20:00 - Public release.
- 2025-04-23 01:00 - Blog post published.
DOM XSS vulnerability (CVE-2025-2703)
Summary
An external security researcher responsibly reported a security vulnerability in Grafana’s built-in XY chart plugin that is vulnerable to a DOM XSS vulnerability.
The CVSS score for this vulnerability is 6.8 MEDIUM.
Impact
A Grafana user with Editor permissions or `fixed:library.panels:general.writer` RBAC permissions can edit an XY chart panel to include an XSS payload, which will execute arbitrary JavaScript upon render. Due to the nature of the XSS, the current Content Security Policy is not effective in stopping the JavaScript from executing.
Impacted versions
>= Grafana 11.1.0
Solutions and mitigations
To fully address CVE-2025-2703, please upgrade your Grafana instances.
As an alternative for Grafana OSS and Grafana Enterprise, you can enable Trusted Types.
Trusted Types is an extension for the Content Security Policy that will effectively mitigate DOM XSS vulnerabilities from being exploited by preventing the injection of untrusted data into critical DOM sinks such as innerHTML, eval, new function(), and similar APIs, which were the culprit for this vulnerability.
Note: Trusted Types is an experimental feature and if enabled, it will impact your entire Grafana instance. To learn more, refer to our Trusted Types announcement blog post and enablement documentation.
Timeline and post-incident review
Here is a detailed incident timeline starting from when we originally introduced the issue. All times are in UTC.
- 2025-03-14 13:03 - Initial email sent to [email protected]
- 2025-03-21 11:35 - Grafana Labs Security Team responds with confirmation.
- 2025-04-04 10:32 - Fixes merged and backported.
- 2025-04-07 23:54 - Private release.
- 2025-04-22 20:00 - Public release.
- 2025-04-23 01:00 - Blog published.
Authorization bypass in data source proxy API (CVE-2025-3454)
Summary
This vulnerability, which was discovered while reviewing a pull request from an external contributor, effects Grafana’s data source proxy API and allows authorization checks to be bypassed by adding an extra slash character (/) in the URL path. Among Grafana-maintained data sources, the vulnerability only affects the read paths of Prometheus (all flavors) and Alertmanager when configured with basic authorization.
The CVSS score for this vulnerability is 5.0 MEDIUM.
Impact
Grafana users could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus data sources, despite their assigned roles and permissions. In addition to Alertmanager and certain Prometheus-based data sources, the vulnerability primarily affects data sources that implement route-specific permissions and use basic authorization to access the data source
Impacted versions
>= Grafana 8.0
Grafana instances running versions between Grafana 8.x and Grafana 10.4.x should upgrade to Grafana 10.4.17+security-01.
Solutions and mitigations
To fully address CVE-2025-3454, please upgrade your Grafana instances.
As an alternative, you can use a reverse proxy that can sanitize the URL before sending data to Grafana.
Timeline and post-incident review
Here is a detailed incident timeline starting from when we originally introduced the issue. All times are in UTC.
- 2021-04-14 - The faulty permission evaluation logic is introduced into Grafana.
- 2025-03-25 21:20 UTC - During an internal review of related code changes, the vulnerability is discovered and an incident is declared.
- 2025-03-26 18:05 - The impact is identified in Grafana 8.0+.
- 2025-03-27 15:34 UTC - The fix for vulnerability is opened.
- 2025-04-01 15:43 UTC - The fix and all backports are merged.
- 2025-04-08 20:30 UTC - CVE is assigned.
- 2025-04-08 16:48 UTC - Private release.
- 2025-04-22 20:00 UTC - Public release.
- 2025-04-23 01:00 UTC - Blog post published.
Reporting security issues
If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.