CVE-2026-21722

Advisory lineage Upstream: 0 Downstream: 6
Modified
Published: 12 Feb 2026, 08:49
Last modified:13 May 2026, 19:28

Vulnerability Summary

Overall Risk (default)
low
21/100
CVSS Score
5.3 MEDIUM
v3.1 (cve.org)
EPSS Score
0.03% LOW
0% probability +0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

12 Feb 2026, 08:49
Published
Vulnerability first disclosed
13 May 2026, 19:28
Last Modified
Vulnerability information updated

Description

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.

CVSS Metrics

  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.03% Percentile: 8%

Techniques & Countermeasures

  • CWE-200Exposure of Sensitive Information to an Unauthorized Actor

    The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • CWE-863Incorrect Authorization

    The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Affected Systems

  • grafanagrafana

    ≥ 9.3.0, < 11.6.10 | ≥ 12.0.0, < 12.1.6 | ≥ 12.2.0, ≤ 12.2.4 | ≥ 12.3.0, ≤ 12.3.2 | 11.6.10 | 12.1.6 | 12.2.4 | 12.3.2

  • grafanagrafana/grafana

    ≥ 9.3.0, < 11.6.10+security-01 | ≥ 12.0.0, < 12.1.6+security-01 | ≥ 12.2.0, < 12.2.4+security-01 | ≥ 12.3.0, < 12.3.2+security-01

  • grafanagrafana/grafana-enterprise

    ≥ 9.3.0, < 11.6.10+security-01 | ≥ 12.0.0, < 12.1.6+security-01 | ≥ 12.2.0, < 12.2.4+security-01 | ≥ 12.3.0, < 12.3.2+security-01

References (2)