Primary

Context

Grafana Information Leakage Vulnerability in Alerting System

Vulnerability

Patched

A vulnerability exists in Grafana's alerting system, specifically in versions greater than 8.0.0 and through 12.3.0. Users with edit permissions for a contact point, particularly those holding the 'Contact Point Writer' role, can modify contact points created by others. This includes changing the endpoint URL to a server under their control. By using the test functionality, these users can intercept and retrieve redacted secure settings, such as authentication tokens for third-party services like Slack. This exploitation could lead to unauthorized access and compromise of external integrations.

Impact

Exploitation of this vulnerability could result in unauthorized access to and compromise of external integrations by leaking sensitive authentication credentials, such as Slack tokens.

Remediation

Users can upgrade to Grafana version 12.4 or later to address this vulnerability.

Added: Apr 15, 2026, 4:52 PM

Updated: Apr 15, 2026, 4:52 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

6.6

remediation

7.7

relevance

6.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

6.6

remediation

7.7

relevance

6.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Grafana Information Leakage Vulnerability in Alerting System

Vulnerability

Impact

Remediation

Affected Products

Grafana

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating