Grafana Authorization Bypass Vulnerability in Datasource Proxy API

Vulnerability

Patched

A vulnerability exists in Grafana's datasource proxy API that allows users with minimal permissions to bypass authorization checks. By adding an extra slash in the URL path, these users could gain unauthorized read access to GET endpoints in Alertmanager and certain Prometheus-based datasources. This issue mainly affects datasources with route-specific permissions.

Impact

Exploitation of this vulnerability could lead to unauthorized read access on GET endpoints in Alertmanager and Prometheus datasources, allowing users with minimal permissions to access restricted information.

Remediation

Users can upgrade to Grafana versions v10.4.17+security-01, v11.2.8+security-01, v11.3.5+security-01, v11.4.3+security-01, v11.5.3+security-01, v11.6.0+security-01 or above to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.1

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

0.6

Grafana Authorization Bypass Vulnerability in Datasource Proxy API

Vulnerability

Impact

Remediation

Affected Products

Grafana

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating