Grafana Dashboard Permission Bypass Vulnerability

A vulnerability exists in Grafana's API endpoints related to dashboard management, allowing authenticated users to bypass permissions for dashboards and folders. This issue affects all API versions, including v0alpha1, v1alpha1, and v2alpha1. The vulnerability enables viewers to access all dashboards and folders, regardless of their assigned permissions. Similarly, editors can view, edit, and delete any dashboards or folders, as well as create dashboards in any folder without permission restrictions. Additionally, anonymous users with viewer or editor roles are affected. However, this vulnerability does not compromise access to data sources.

Impact

Exploitation of this vulnerability allows for unauthorized access to dashboards and folders, overriding existing permission settings. This means that users can view, edit, or delete dashboards and folders they would normally be restricted from accessing. The vulnerability also allows editors to create dashboards in any folder, regardless of permissions. For anonymous users with viewer or editor roles, the same permission bypass applies.