Grafana Authorization Bypass Vulnerability in Datasource Deletion

A time-of-create-to-time-of-use (TOCTOU) vulnerability has been identified in Grafana, allowing an attacker with admin access to a datasource to delete it again after it has been recreated, without proper authorization. This vulnerability requires the attacker to act within 30 seconds of the datasource's deletion, on the same Grafana pod. The new datasource must not grant the attacker admin rights and must have the same UID as the original, which is randomized by default. Once these conditions are met, the attacker can exploit the vulnerability to unauthorizedly delete the datasource again.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of datasources, potentially leading to loss of important data or disruption of services that rely on those datasources.

Reproduction

To reproduce this vulnerability, an attacker must first have admin access to a Grafana datasource. The attacker deletes the datasource, then must act quickly—within 30 seconds—on the same Grafana pod to recreate the datasource, ensuring it has the same UID as the original but does not grant admin rights to the attacker. Once these steps are completed, the attacker can delete the datasource again, exploiting the vulnerability.

Remediation

Users can upgrade to Grafana version 12.4.1 or later to address this vulnerability.