https://spaceraccoon.github.io/vulnerability-spoiler-alert Vulnerability alerts for grafana/grafana en-us Fri, 17 Apr 2026 01:52:35 GMT https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/125 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/125 Mon, 30 Mar 2026 12:36:49 GMT The OFREP endpoint's `validateNamespace` function used `io.ReadAll(r.Body)` without any size limit, allowing an attacker to send arbitrarily large request bodies that would be fully read into memory. This could exhaust server memory and cause a denial of service. The fix applies `http.MaxBytesReader` to limit the body to 1 MiB before reading. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/123 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/123 Fri, 27 Mar 2026 14:45:04 GMT The fill resampling feature in Grafana's SQL datasources (MySQL, PostgreSQL, MSSQL) could be exploited to cause excessive memory allocation. By crafting a query with a very large time range and a very small fill interval (e.g., time range spanning years with millisecond intervals), an attacker could trigger `sqlutil.ResampleWideFrame` to allocate an enormous number of data points, exhausting server memory and causing a denial of service. The patch adds a guard that skips the fill operation if the number of fill points would exceed the configured row limit. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/122 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/122 Fri, 27 Mar 2026 08:29:30 GMT When a user creates a Kubernetes resource containing inline secure values (raw secrets) via kubectl apply, the kubectl client automatically stores the full object including the raw secret value in the `kubectl.kubernetes.io/last-applied-configuration` annotation. This annotation is persisted in the API server and can be read back by anyone with read access to the resource, effectively leaking the raw secret value. The patch clears this annotation when a raw secret is detected in the inline secure values section, preventing the secret from being stored in plaintext in the annotation. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/120 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/120 Thu, 26 Mar 2026 09:05:25 GMT Before this patch, the Kubernetes-style IAM API endpoint `/apis/iam.grafana.app/v0alpha1/namespaces/{ns}/users/{name}/teams` used the generic `ResourceAuthorizer` which only checked `get` permission on the `users` resource itself, but did not properly enforce the `teams` subresource authorization. According to the commit, the RBAC service would ignore the 'teams' subresource check, meaning any user with generic `users:read` permission could potentially access team membership data for users they shouldn't be able to see. The patch adds a dedicated `UserAuthorizer` that explicitly checks `get` permission on the parent user when the `teams` subresource is requested. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/119 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/119 Wed, 25 Mar 2026 16:21:48 GMT The `/api/alertmanager/grafana/api/v2/status` endpoint was protected by the `alert.notifications:read` permission, which is granted to Viewers and Editors by default. This allowed any authenticated user (including low-privileged Viewers) to access Alertmanager system status information including routing configuration, receivers configuration, and other sensitive system details. The patch replaces this with a new dedicated `alert.notifications.system-status:read` permission that is only granted to Admin users. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/118 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/118 Wed, 25 Mar 2026 14:48:37 GMT Before the patch, the `validateWriteAccess` function did not handle `JobActionFixFolderMetadata` in its switch statement, meaning it fell through to the `default` case which applies no ref-based restriction. This allowed users to trigger a fix-folder-metadata job that would write directly to the default/main branch even when the repository was configured with only a 'branch' workflow (meaning the default branch should be read-only). The patch adds the missing case to extract the target ref from `FixFolderMetadata.Ref` and apply proper write permission checks. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/89 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/89 Fri, 20 Mar 2026 23:04:40 GMT Before this patch, the GET /api/alertmanager/grafana/config/api/v1/alerts endpoint (which returns the raw Alertmanager configuration blob, potentially containing sensitive credentials like SMTP passwords, webhook secrets, and API tokens) was accessible to any user with the broad 'alert.notifications:read' permission, which was granted to Viewers and Editors. Similarly, GET /config/history and POST /config/history/{id}/_activate were accessible to users with alert.notifications:read/write. The patch restricts these endpoints to admin-only via new fine-grained RBAC actions (alert.notifications.config-history:read/write). high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/87 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/87 Fri, 20 Mar 2026 09:44:54 GMT GHSA-479m-364c-43vc describes a vulnerability in github.com/russellhaering/goxmldsig (used for SAML XML digital signature validation) where an attacker could bypass XML signature verification. The library also depends on github.com/beevik/etree for XML parsing, and the combination of versions before this fix allowed signature wrapping attacks where a malicious SAML response could include a valid signature over one element while the actual authenticated data came from a different, attacker-controlled element. This allowed authentication bypass in Grafana's SAML SSO implementation. critical unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/86 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/86 Thu, 19 Mar 2026 11:55:47 GMT The Grafana short URL feature allowed authenticated users to create short URLs with arbitrary target paths, including external URLs like `http://evil.com` or protocol-relative URLs like `//evil.com`. When a victim clicked a Grafana short URL, they would be silently redirected to the attacker-controlled external domain. The patch adds validation at both creation time and redirect time to ensure paths are always relative and cannot contain schemes, protocol-relative prefixes, or other external URL patterns. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/85 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/85 Thu, 19 Mar 2026 10:26:36 GMT This commit patches CVE-2026-33186 in the google.golang.org/grpc library by upgrading from v1.79.1 to v1.79.3. The vulnerability exists in the gRPC-Go HTTP/2 implementation and can be exploited to cause a denial of service condition. The patch updates the dependency across multiple Go modules in the Grafana repository to remediate the vulnerability. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/83 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/83 Wed, 18 Mar 2026 11:30:36 GMT Before the patch, a resource manager could be changed directly from one manager to another (e.g., from repo:abc to terraform:xyz) in a single update operation without going through a remove-then-add workflow. This allowed one management system (e.g., Terraform) to silently take over resources managed by another system (e.g., a Git repository), potentially leading to unauthorized control over managed resources and unpredictable reconciliation conflicts. The patch adds an explicit check that blocks any update where both old and new objects have a manager set but with different values, returning HTTP 403. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/82 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/82 Tue, 17 Mar 2026 23:42:42 GMT Before this patch, the Grafana Live push endpoint (`/api/live/push/:streamId`) had no RBAC authorization check, allowing any authenticated user (including Viewers) to push metrics and events to Grafana Live streams. The patch adds an `authorize(ac.EvalPermission(ac.ActionLivePush))` middleware that restricts this endpoint to users with the `live:push` permission (granted to Editors and Admins by default). medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/80 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/80 Tue, 17 Mar 2026 19:06:19 GMT The MSSQL connection string was built by directly concatenating the username and password without escaping special characters. Since semicolons are used as key-value delimiters in the connection string, a password containing a semicolon would be truncated at the semicolon, allowing authentication bypass or connection to unintended databases. For example, a password like `StrongPass;database=other` would cause the driver to parse `database=other` as a separate connection string parameter. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/79 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/79 Tue, 17 Mar 2026 15:19:41 GMT The provisioning API's `UpdateContactPoint` endpoint did not perform authorization checks for protected fields (e.g., webhook URLs, API keys) before the patch. Any user with access to the provisioning API could modify protected/sensitive fields in contact points without the required `receivers:update.protected` permission, bypassing the security controls enforced by the regular receiver API. The patch adds a `checkProtectedFields` method that verifies the user has appropriate permissions before allowing modifications to protected fields. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/74 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/74 Mon, 16 Mar 2026 23:39:58 GMT Before this patch, the Kubernetes API endpoints for dashboard snapshots (GET, LIST, DELETE, POST /create, DELETE /delete/{deleteKey}, GET /settings) used a default `ServiceAuthorizer` that did not enforce RBAC permissions for snapshot resources. Any authenticated user, regardless of their assigned permissions, could read, list, create, and delete snapshots. The patch adds a `SnapshotAuthorizer` that maps K8s verbs to Grafana RBAC actions (`snapshots:read`, `snapshots:create`, `snapshots:delete`) and applies RBAC checks to the custom HTTP routes as well. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/73 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/73 Mon, 16 Mar 2026 19:56:58 GMT Public dashboard CRUD endpoints (Delete, Update, ExistsEnabledByDashboardUid) were only checking the user's role/permissions but not validating that the public dashboard being operated on belonged to the same organization as the requesting user. This allowed an authenticated user with Editor+ permissions in Org B to delete, update, or check the existence of public dashboards belonging to Org A, without having access to the source dashboard. The patch adds org_id checks to all relevant database queries to enforce org isolation. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/72 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/72 Fri, 06 Mar 2026 08:43:52 GMT DOMPurify 3.3.1 contained multiple security vulnerabilities: a bypass via jsdom's faulty raw-text tag parsing that could allow XSS payloads to pass through sanitization, a prototype pollution issue when working with custom elements, and a lenient config parsing issue in `_isValidAttribute`. These vulnerabilities could allow attackers to inject malicious HTML/JavaScript that bypasses DOMPurify's sanitization, leading to XSS attacks in Grafana's frontend which uses DOMPurify to sanitize user-supplied content. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/71 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/71 Fri, 06 Mar 2026 08:43:36 GMT The minimatch package prior to version 3.1.2 (and related versions) contained a ReDoS vulnerability (CVE-2022-3517) where specially crafted patterns could cause catastrophic backtracking in the regular expression engine. This patch upgrades minimatch from vulnerable versions (3.0.5, 9.0.3, 5.0.1, 7.4.6) to patched versions (3.1.4, 10.2.4, 5.1.9, 7.4.9) that fix the ReDoS issue. The vulnerability could allow an attacker to cause denial of service by providing a malicious glob pattern. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/70 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/70 Fri, 06 Mar 2026 08:23:33 GMT The immutable library versions prior to 5.1.5 contained a Prototype Pollution vulnerability (Improperly Controlled Modification of Object Prototype Attributes). This allowed attackers to manipulate JavaScript object prototypes through specially crafted keys like '__proto__', 'constructor', or 'prototype', potentially affecting all objects in the application. The patch upgrades immutable from 5.1.4 to 5.1.5 which fixes this vulnerability. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/67 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/67 Tue, 03 Mar 2026 15:02:11 GMT The `tar` npm package versions 6.x and earlier contain a path traversal vulnerability (CVE-2024-28863 and related CVEs) where specially crafted tar archives can write files outside the intended extraction directory. By bumping `tar` from version 6.x to 7.x, this patch removes the vulnerable version and its dependency chain (including the old `cacache@^15.2.0` which depended on `tar@^6.0.2`). The vulnerability allowed an attacker to craft a malicious tarball that, when extracted, could overwrite arbitrary files on the filesystem. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/54 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/54 Tue, 24 Feb 2026 20:06:18 GMT The code allowed SAML authentication to create duplicate user_auth records for SCIM-provisioned users instead of updating existing ones. An attacker could exploit this by logging in via SAML with a SCIM user's credentials to create a new auth record with their own AuthID, potentially bypassing access controls or creating authentication confusion. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/51 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/51 Tue, 24 Feb 2026 09:33:41 GMT The code before the patch used HTTP transport without proper TLS certificate validation when communicating with external image renderer services. This allowed attackers to intercept HTTPS communications through man-in-the-middle attacks, potentially exposing authentication tokens and sensitive data. The patch adds support for custom CA certificates to enable proper certificate validation. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/47 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/47 Mon, 23 Feb 2026 10:32:22 GMT The ValidateRedirectTo function was vulnerable to open redirect attacks through URL fragments. Attackers could bypass path validation by using URL fragments containing dangerous patterns like '../' or '//', which were not sanitized before the redirect. The patch fixes this by validating fragments and returning a sanitized URL string instead of the original user input. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/43 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/43 Fri, 20 Feb 2026 08:43:39 GMT The old authorization system used deprecated Compile method which performed authorization checks item-by-item during iteration, potentially allowing unauthorized access to resources due to race conditions or incomplete authorization state. The patch replaces this with FilterAuthorized using BatchCheck which performs more robust batch authorization before returning results. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/41 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/41 Thu, 19 Feb 2026 18:31:51 GMT The code was truncating SHA256 hashes to only 10 characters when generating secret names, dramatically increasing collision probability from negligible to ~1 in 16^10. This allows attackers to craft field names that collide with existing secret field names, potentially accessing or modifying secrets they shouldn't have access to. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/36 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/36 Thu, 19 Feb 2026 13:27:44 GMT The code had a race condition vulnerability during database migrations where concurrent writes to legacy tables could occur during unified storage migrations in rolling upgrade scenarios. This could lead to data corruption or inconsistent state as multiple processes could simultaneously modify the same database tables without proper synchronization. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/35 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/35 Thu, 19 Feb 2026 10:13:09 GMT The code had a fallback authentication mechanism that would allow any request to bypass authorization checks when the primary authenticator failed. The fallback would accept requests with only namespace validation, effectively allowing unauthorized access to resources. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/34 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/34 Wed, 18 Feb 2026 22:42:29 GMT The scope resolver cache was not invalidated when datasources were deleted, causing stale name-to-UID mappings. When a datasource was deleted and a new one created with the same name, the cached entry would resolve to the deleted datasource's UID, leading to incorrect authorization decisions. The patch fixes this by invalidating the cache entry for the datasource name scope during deletion. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/33 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/33 Wed, 18 Feb 2026 22:42:17 GMT The code exposed encrypted datasource secrets even when they were empty, potentially leaking secret metadata or encrypted empty values to unauthorized users. The patch fixes this by filtering out empty secrets before returning them in API responses. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/31 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/31 Wed, 18 Feb 2026 12:05:51 GMT The audit logging configuration was exposing sensitive data source request and response bodies by default. This could lead to credentials, API keys, and sensitive query data being logged in plaintext audit files accessible to system administrators. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/29 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/29 Tue, 17 Feb 2026 16:03:27 GMT The rolebindings API was accessible to all authenticated users without proper authorization checks. This allowed any user to potentially view, modify, or create role bindings, leading to privilege escalation. The patch restricts access to only access policy identities. high confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/22 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/22 Mon, 16 Feb 2026 10:04:29 GMT The endpoint allowed any authenticated user to access team member information without proper authorization checks. The patch adds a permission check requiring 'GetPermissions' verb on the Team resource before returning member data. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/21 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/21 Mon, 16 Feb 2026 08:00:28 GMT The code allowed updating Repository resources to remove all finalizers, which would cause immediate deletion without proper cleanup when the resource is later deleted. This bypasses the intended cleanup workflow and could lead to orphaned resources or incomplete cleanup operations. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/20 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/20 Mon, 16 Feb 2026 07:36:22 GMT The files API endpoints were not enforcing quota limits, allowing authenticated users to bypass resource quotas and create unlimited files/dashboards. This could lead to resource exhaustion and denial of service. The patch adds quota checks before allowing POST/PUT operations on files. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/16 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/16 Fri, 13 Feb 2026 18:44:38 GMT The MT IAM API server was using a no-op storage backend for RoleBindings, which silently dropped all write operations and returned empty results for reads. Additionally, the authorizer denied all access to rolebindings. This created an authorization bypass where RBAC role bindings were completely non-functional, potentially allowing unauthorized access or preventing proper access controls from being enforced. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/11 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/11 Wed, 11 Feb 2026 12:26:16 GMT The vulnerability allows attackers to bypass time range restrictions on public dashboards when time selection is disabled. By manipulating request time parameters, attackers can access annotations outside the intended dashboard time range, potentially exposing sensitive data from unauthorized time periods. high confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/10 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/10 Wed, 11 Feb 2026 12:26:10 GMT The code was vulnerable to Cross-Site Scripting (XSS) by directly rendering user-controlled data via dangerouslySetInnerHTML without sanitization. Malicious trace data could inject JavaScript that would execute in users' browsers. The patch fixes this by sanitizing HTML content with DOMPurify before rendering. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/9 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/9 Wed, 11 Feb 2026 00:53:34 GMT The code forwards arbitrary HTTP headers from incoming requests to outgoing gRPC calls without proper validation or sanitization. An attacker can inject malicious headers that could be used to bypass security controls, manipulate downstream services, or perform request smuggling attacks. medium confirmed