{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27877", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-02-24T14:30:17.726Z", "datePublished": "2026-03-27T14:02:11.889Z", "dateUpdated": "2026-03-27T14:56:34.782Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:54.740Z"}, "datePublic": "2026-03-27T13:59:46.831Z", "title": "Public dashboards discloses all direct mode datasources", "descriptions": [{"lang": "en", "value": "When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security."}], "affected": [{"vendor": "Grafana", "product": "Grafana", "platforms": ["OnPrem", "Cloud"], "defaultStatus": "unaffected", "versions": [{"version": "v9.3.0", "status": "affected", "versionType": "semver", "lessThan": "v11.6.14"}, {"version": "v12.0.0", "status": "affected", "versionType": "semver", "lessThan": "v12.1.10"}, {"version": "v12.2.0", "status": "affected", "versionType": "semver", "lessThan": "v12.2.8"}, {"version": "v12.3.0", "status": "affected", "versionType": "semver", "lessThan": "v12.3.6"}, {"version": "v12.4.0", "status": "affected", "versionType": "semver", "lessThan": "v12.4.2"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["broken-link"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:56:26.128138Z", "id": "CVE-2026-27877", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:56:34.782Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27877", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T14:56:26.128138Z"}}}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["broken-link"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:54:26.882Z"}}], "cna": {"title": "Public dashboards discloses all direct mode datasources", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "Grafana", "product": "Grafana", "versions": [{"status": "affected", "version": "v9.3.0", "lessThan": "v11.6.14", "versionType": "semver"}, {"status": "affected", "version": "v12.0.0", "lessThan": "v12.1.10", "versionType": "semver"}, {"status": "affected", "version": "v12.2.0", "lessThan": "v12.2.8", "versionType": "semver"}, {"status": "affected", "version": "v12.3.0", "lessThan": "v12.3.6", "versionType": "semver"}, {"status": "affected", "version": "v12.4.0", "lessThan": "v12.4.2", "versionType": "semver"}], "platforms": ["OnPrem", "Cloud"], "defaultStatus": "unaffected"}], "datePublic": "2026-03-27T13:59:46.831Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:54.740Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27877", "state": "PUBLISHED", "dateUpdated": "2026-03-27T14:56:34.782Z", "dateReserved": "2026-02-24T14:30:17.726Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-03-27T14:02:11.889Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security."}], "id": "CVE-2026-27877", "lastModified": "2026-03-27T15:16:51.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-27T15:16:51.050", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2026-27877"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://grafana.com/security/security-advisories/cve-2026-27877"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T15:56:21.599420+00:00", "value": {"mitigation_remediation": ["Install the Grafana vendor patch that fixes CVE\u20112026\u201127877.", "Convert all direct data\u2011source connections to proxied data\u2011source connections where possible.", "If the patch is unavailable, restrict public dashboard access to trusted users or disable public dashboards entirely.", "Review and rotate any database credentials that may have been exposed.", "Monitor Grafana logs for unauthorized data\u2011source access attempts."], "summary": {"action": "Patch ASAP", "impact": "Credential exposure"}, "threat_synthesis": {"affected_systems": "Grafana dashboards that are marked public and use direct data\u2011source connections. No specific product versions were disclosed in the advisory; it applies to all Grafana deployments that have not yet applied the vendor patch for CVE\u20112026\u201127877.", "description_and_impact": "The vulnerability allows an attacker to obtain passwords for all direct data\u2011sources that are associated with a public dashboard, even if those data\u2011sources are not used in the dashboard tiles. Exposing these credentials can enable the attacker to access the underlying databases or other systems that the data\u2011sources connect to, compromising data confidentiality. This weakness is a classic example of sensitive information exposure, allowing an attacker to read or exploit credentials that should remain private.", "risk_and_exploitability": "The CVSS score of 6.5 classifies the vulnerability as moderate severity. Because the attack vector involves a publicly exposed dashboard, any individual with network access to the Grafana instance can exploit the flaw, making it relatively easy for an external actor to retrieve credentials. The EPSS score is not provided and the vulnerability is not currently listed in the CISA KEV catalog, but the potential damage from credential compromise is significant. The attack is straightforward: access any public dashboard that contains direct data\u2011source links, and the passwords are rendered in the rendered HTML."}}}}, "created": "2026-03-27T20:28:45.992344+00:00", "updated": "2026-03-27T20:28:45.992386+00:00", "vendors": [], "weaknesses": ["CWE-200"]}