CVE-2026-21721

Advisory lineage Upstream: 0 Downstream: 9

Downstream

OPENSUSE-SU-2026:10601-1 RHSA-2026:2914 RHSA-2026:2920 RHSA-2026:3078 RHSA-2026:3529 SUSE-SU-2026:1013-1

Analyzed

Published: 27 Jan 2026, 09:07

Last modified:13 May 2026, 19:28

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

8.1 HIGH

v3.1 (cve.org)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

27 Jan 2026, 09:07

Published

Vulnerability first disclosed

13 May 2026, 19:28

Last Modified

Vulnerability information updated

Description

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

CVSS Metrics

v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 0.02%• Percentile: 5%

Techniques & Countermeasures

CWE-863•Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Affected Systems

grafana•grafana
≥ 10.2.0, < 11.6.9 | ≥ 12.0.0, < 12.0.8 | ≥ 12.1.0, < 12.1.5 | ≥ 12.2.0, < 12.2.3 | 11.6.9 | 12.0.8 | 12.1.5 | 12.2.3 | 12.3.0 | 12.3.1
grafana•grafana/grafana
≥ 12.3.0, < 12.3.1 | ≥ 12.2.0, < 12.2.3 | ≥ 12.1.0, < 12.1.5 | ≥ 12.0.0, < 12.0.8 | ≥ 10.2.0, < 11.6.9
grafana•grafana/grafana-enterprise
≥ 10.2.0, < 11.6.9 | ≥ 12.0.0, < 12.0.8 | ≥ 12.1.0, < 12.1.5 | ≥ 12.2.0, < 12.2.3 | ≥ 12.3.0, < 12.3.1