{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21724", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-01-05T09:26:06.214Z", "datePublished": "2026-03-26T20:06:18.829Z", "dateUpdated": "2026-03-27T14:28:56.650Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:56.650Z"}, "datePublic": "2026-03-25T22:00:37.352Z", "title": "Missing Protected-field Authorization in Provisioning Contact Points API", "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."}], "affected": [{"vendor": "Grafana", "product": "Grafana OSS", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "12.3.1", "status": "affected", "versionType": "semver", "lessThan": "12.3.6"}, {"version": "12.2.2", "status": "affected", "versionType": "semver", "lessThan": "12.2.8"}, {"version": "12.1.5", "status": "affected", "versionType": "semver", "lessThan": "12.1.10"}, {"version": "11.6.9", "status": "affected", "versionType": "semver", "lessThan": "11.6.14"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21724", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "CWE-285 Improper Authorization"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:42:43.732342Z", "id": "CVE-2026-21724", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:56:12.761Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21724", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-01-05T09:26:06.214Z", "datePublished": "2026-03-26T20:06:18.829Z", "dateUpdated": "2026-03-27T13:56:12.761Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-26T21:41:07.297Z"}, "datePublic": "2026-03-25T22:00:37.352Z", "title": "Missing Protected-field Authorization in Provisioning Contact Points API", "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."}], "affected": [{"vendor": "Grafana", "product": "Grafana OSS", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "12.3.1", "status": "affected", "versionType": "semver", "lessThan": "12.3.6"}, {"version": "12.2.2", "status": "affected", "versionType": "semver", "lessThan": "12.2.8"}, {"version": "12.1.5", "status": "affected", "versionType": "semver", "lessThan": "12.1.10"}, {"version": "11.6.9", "status": "affected", "versionType": "semver", "lessThan": "11.6.14"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21724", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21724", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:42:43.732342Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:42:53.364Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."}], "id": "CVE-2026-21724", "lastModified": "2026-03-26T21:17:03.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:03.227", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2026-21724"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Received"}

{"bugzilla": {"description": "Grafana OSS: Grafana OSS: Authorization bypass allows modification of protected webhook URLs", "id": "2451938", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451938"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-266", "details": ["A flaw was found in Grafana OSS. An authorization bypass vulnerability in the provisioning contact points API allows users with an Editor role to modify protected webhook URLs. This can lead to unauthorized changes to notification configurations, potentially resulting in information disclosure or integrity issues."], "name": "CVE-2026-21724", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T20:06:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21724\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21724\nhttps://grafana.com/security/security-advisories/cve-2026-21724"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.1,12.3.6)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.2,12.2.8)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.1.5,12.1.10)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[11.6.9,11.6.14)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "Grafana OSS", "source": "cna", "vendor": "Grafana"}, "product": "grafana", "vendor": "grafana"}], "analysis": {"en": {"generated_at": "2026-03-26T21:20:45.514064+00:00", "value": {"mitigation_remediation": ["Check whether a Grafana OSS update addressing this Authorization Bypass has been released, and upgrade immediately if it has.", "If a fix is not yet available, limit API access for Editor\u2011role users by applying network firewall rules or an API gateway filter to block requests to the provisioning contact points endpoint.", "Re\u2011evaluate the necessity of granting Editor permissions to users; if they do not need to modify webhooks, downgrade them to a role with fewer privileges.", "Continuously monitor Grafana logs for changes to webhook configurations and review alert notification settings for anomalous changes."], "summary": {"action": "Apply Patch", "impact": "Unauthorised Webhook URL Modification"}, "threat_synthesis": {"affected_systems": "The flaw exists in Grafana OSS. No specific version information has been supplied in the advisory, so all deployed instances of Grafana OSS that have not been patched may be vulnerable. The vulnerability is tied to the provisioning contact points API, which is accessed by authenticated users within the application.", "description_and_impact": "An authorization bypass in Grafana OSS allows a user with Editor role to change protected webhook URLs without the required alert.notifications.receivers.protected:write permission. The discrepancy between the assigned role and the permissions enforced leads to a moderate risk of an attacker redirecting alert notifications to malicious endpoints, potentially compromising confidentiality and availability of notification services.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity; no EPSS score is provided and the issue is not listed in CISA\u2019s KEV catalogue, suggesting limited known exploitation. Based on the description, the likely attack vector is an authenticated user possessing Editor permissions, which must also have network access to the Grafana API. The potential impact is that an attacker could silently modify webhook URLs, leading to unauthorized data exfiltration or service disruption."}}}}, "created": "2026-03-27T08:32:10.008645+00:00", "updated": "2026-03-27T09:23:38.257709+00:00", "vendors": ["grafana", "grafana$PRODUCT$grafana"], "weaknesses": ["CWE-284"]}