CVE-2026-21724 | THREATINT

Description

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

PUBLISHED Reserved 2026-01-05 | Published 2026-03-26 | Updated 2026-05-13 | Assigner GRAFANA

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Product status

Default status

unaffected

12.3.1 (semver) before 12.3.6

affected

12.2.2 (semver) before 12.2.8

affected

12.1.5 (semver) before 12.1.10

affected

11.6.9 (semver) before 11.6.14

affected

References

grafana.com/security/security-advisories/cve-2026-21724 vendor-advisory

cve.org (CVE-2026-21724)

nvd.nist.gov (CVE-2026-21724)

Download JSON