Description
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Published: 2026-03-26
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: Unauthorised Webhook URL Modification
Action: Apply Patch
AI Analysis

Impact

An authorization bypass in Grafana OSS allows a user with Editor role to change protected webhook URLs without the required alert.notifications.receivers.protected:write permission. The discrepancy between the assigned role and the permissions enforced leads to a moderate risk of an attacker redirecting alert notifications to malicious endpoints, potentially compromising confidentiality and availability of notification services.

Affected Systems

The flaw exists in Grafana OSS. No specific version information has been supplied in the advisory, so all deployed instances of Grafana OSS that have not been patched may be vulnerable. The vulnerability is tied to the provisioning contact points API, which is accessed by authenticated users within the application.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity; no EPSS score is provided and the issue is not listed in CISA’s KEV catalogue, suggesting limited known exploitation. Based on the description, the likely attack vector is an authenticated user possessing Editor permissions, which must also have network access to the Grafana API. The potential impact is that an attacker could silently modify webhook URLs, leading to unauthorized data exfiltration or service disruption.

Generated by OpenCVE AI on March 26, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check whether a Grafana OSS update addressing this Authorization Bypass has been released, and upgrade immediately if it has.
  • If a fix is not yet available, limit API access for Editor‑role users by applying network firewall rules or an API gateway filter to block requests to the provisioning contact points endpoint.
  • Re‑evaluate the necessity of granting Editor permissions to users; if they do not need to modify webhooks, downgrade them to a role with fewer privileges.
  • Continuously monitor Grafana logs for changes to webhook configurations and review alert notification settings for anomalous changes.

Generated by OpenCVE AI on March 26, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Vendors & Products Grafana
Grafana grafana

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Title Missing Protected-field Authorization in Provisioning Contact Points API
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Grafana Grafana
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-03-26T21:41:07.297Z

Reserved: 2026-01-05T09:26:06.214Z

Link: CVE-2026-21724

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:03.227

Modified: 2026-03-26T21:17:03.227

Link: CVE-2026-21724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:38Z

Weaknesses