Home
HIGH: 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NDefault status
unaffected
12.3.0 (semver) before 12.3.1
affected
Default status
unaffected
12.2.0 (semver) before 12.2.3
affected
Default status
unaffected
12.1.0 (semver) before 12.1.5
affected
Default status
unaffected
12.0.0 (semver) before 12.0.8
affected
Default status
unaffected
10.2.0 (semver) before 11.6.9
affected
Default status
unaffected
10.2.0 (semver) before 11.6.9
affected
Default status
unaffected
12.0.0 (semver) before 12.0.8
affected
Default status
unaffected
12.1.0 (semver) before 12.1.5
affected
Default status
unaffected
12.2.0 (semver) before 12.2.3
affected
Default status
unaffected
12.3.0 (semver) before 12.3.1
affected
Description
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
Product status
12.3.0 (semver) before 12.3.1
12.2.0 (semver) before 12.2.3
12.1.0 (semver) before 12.1.5
12.0.0 (semver) before 12.0.8
10.2.0 (semver) before 11.6.9
10.2.0 (semver) before 11.6.9
12.0.0 (semver) before 12.0.8
12.1.0 (semver) before 12.1.5
12.2.0 (semver) before 12.2.3
12.3.0 (semver) before 12.3.1
References
grafana.com/security/security-advisories/CVE-2026-21721