Home

Description

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

PUBLISHED Reserved 2026-02-24 | Published 2026-03-27 | Updated 2026-05-13 | Assigner GRAFANA




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Product status

Default status
unaffected

9.3.0 (semver) before 11.6.14
affected

12.0.0 (semver) before 12.1.10
affected

12.2.0 (semver) before 12.2.8
affected

12.3.0 (semver) before 12.3.6
affected

12.4.0 (semver) before 12.4.2
affected

References

grafana.com/security/security-advisories/cve-2026-27877 broken-link

grafana.com/security/security-advisories/cve-2026-27877 vendor-advisory

cve.org (CVE-2026-27877)

nvd.nist.gov (CVE-2026-27877)

Download JSON