Primary

Context

Grafana OSS Authorization Bypass Vulnerability in Provisioning Contact Points API

Vulnerability

Patched

An authorization bypass vulnerability has been identified in Grafana OSS. This issue allows users with the Editor role to modify protected webhook URLs through the provisioning contact points API, without having the necessary alert.notifications.receivers.protected:write permission. The vulnerability arises from inadequate authorization checks, enabling unauthorized changes to be made to sensitive webhook configurations.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of protected webhook URLs, potentially disrupting notification workflows or causing unintended actions to be triggered by the webhooks.

Remediation

Users can upgrade to Grafana versions 12.3.1 prior to 12.3.6, 12.2.2 prior to 12.2.8, 12.1.5 prior to 12.1.10, or 11.6.9 prior to 11.6.14 to address this vulnerability.

Added: Mar 26, 2026, 9:43 PM

Updated: Mar 26, 2026, 9:43 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

5.2

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

5.2

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Grafana OSS Authorization Bypass Vulnerability in Provisioning Contact Points API

Vulnerability

Impact

Remediation

Affected Products

Grafana

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating