Primary

Context

Grafana Datasource Proxy API Improper Authorization Vulnerability

Vulnerability

A vulnerability in Grafana's datasource proxy API allows users with minimal permissions to bypass authorization checks and gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. This issue arises by adding an extra slash character in the URL path, primarily affecting datasources with route-specific permissions, such as Alertmanager and certain Prometheus-based datasources.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data in Alertmanager and Prometheus datasources, potentially allowing for misuse of this information or disruption of services that rely on these monitoring tools.

Remediation

Users are strongly recommended to upgrade to the latest release of Grafana Incoming Goods Suite (version 1.2.1 or higher).

Added: Jan 15, 2026, 2:37 PM

Updated: Jan 15, 2026, 2:37 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.8

remediation

0.0

relevance

2.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.8

remediation

0.0

relevance

2.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Grafana Datasource Proxy API Improper Authorization Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating