The vulnerability resides in the Dashboard Permissions API, which fails to enforce the intended dashboard scope when validating permission modifications. The API only checks for the generic dashboards.permissions:* action rather than verifying that the target dashboard belongs to the same namespace. As a result, a user granted permission‑management rights on one dashboard can read and alter the permissions of any other dashboard in the same organization. The consequence is a trusted‑user privilege escalation that allows an internal attacker to gain unauthorized read or modify access to other dashboards, potentially exposing sensitive metrics or configuration data. This weakness maps to CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-863 (Improper Enforcement of Restriction on Use of Privilege‑Escalating Functions).

All Grafana installations affected by this advisory, including the community edition and the enterprise edition of Grafana. The problem affects any deployed instance where dashboards.permissions:* scopes are granted, regardless of the Grafana version listed in the advisory. No specific version range is enumerated in the CNA data, so administrators should assume all current and older releases are vulnerable until patched.

The CVSS score of 8.1 signals a high severity, reflecting the ability of an attacker to elevate privileges without additional exploits. The EPSS score is below 1%, suggesting that active exploitation is rare or not observed at the time of scoring. The vulnerability is not listed in the CISA KEV catalog, indicating no widespread, publicly available exploits are known. Likely attack vectors involve internal users or compromised accounts that invoke the guarded API endpoints, potentially through Grafana’s own web interface or API clients. Exploitation would require the attacker to first obtain a legitimate user session or credentials for a user who has dashboards.permissions:* rights, and then target other dashboards within the organization.