CVE-2026-21724

Aliases:GHSA-7g92-g4vh-hp84BIT-grafana-2026-21724

Advisory lineage Upstream: 0 Downstream: 3

Downstream

OPENSUSE-SU-2026:10601-1 SUSE-SU-2026:1524-1 UBUNTU-CVE-2026-21724

Analyzed

Published: 26 Mar 2026, 20:06

Last modified:13 May 2026, 19:28

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.4 MEDIUM

v3.1 (cve.org)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

26 Mar 2026, 20:06

Published

Vulnerability first disclosed

13 May 2026, 19:28

Last Modified

Vulnerability information updated

Description

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

CVSS Metrics

v3.1•MEDIUM•Score: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS Trends

Current EPSS score: 0.02%• Percentile: 5%

Techniques & Countermeasures

CWE-285•Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Affected Systems

github.com/grafana•grafana
< 1.9.2-0.20260323180334-daffe750de85
grafana•grafana
≥ 11.6.9, < 11.6.14 | ≥ 12.1.5, < 12.1.10 | ≥ 12.2.2, < 12.2.8 | ≥ 12.3.1, < 12.3.6
grafana•grafana oss
≥ >=v12.3.1, < <v12.3.6 | ≥ >=v12.2.2, < <v.12.2.8 | ≥ >=v.12.1.5, < <v.12.1.10 | ≥ >=v11.6.9, < <v11.6.14 | ≥ 12.3.1, < 12.3.6 | ≥ 12.2.2, < 12.2.8 | ≥ 12.1.5, < 12.1.10 | ≥ 11.6.9, < 11.6.14