Description
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Published: 2026-03-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

Grafana OSS is vulnerable to an authorization bypass in its provisioning contact points API. Users with an Editor role can change protected webhook URLs without having the required alert.notifications.receivers.protected:write permission. This flaw effectively allows an authenticated user to modify data that should be restricted, enabling manipulation of alert destinations. The weakness is classified as CWE-266 (Least Privilege) and CWE-285 (Improper Authorization).

Affected Systems

Any Grafana OSS installation that exposes the provisioning contact points API is potentially affected. No specific version information is provided, so all installations are considered at risk until a fix is applied.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity, and the EPSS score is below 1%, suggesting a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated account with Editor permissions; an attacker can send API requests to modify webhook URLs. Because the attack requires legitimate account credentials, the risk is contained to systems where Editor privileges exist, but the impact of redirecting alerts could facilitate further attacks or data exfiltration.

Generated by OpenCVE AI on April 14, 2026 at 02:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Grafana OSS patch or upgrade to a version that fixes the authorization bypass.
  • Revoke unnecessary Editor permissions or enforce least privilege for users who do not need to modify alerts.
  • Ensure that only administrators can create or change protected webhook URLs by configuring role-based access controls.
  • Monitor provisioning API activity for unexpected changes to webhook URLs and investigate promptly.

Generated by OpenCVE AI on April 14, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7g92-g4vh-hp84 Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions
History

Tue, 14 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Vendors & Products Grafana
Grafana grafana

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Title Missing Protected-field Authorization in Provisioning Contact Points API
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Grafana Grafana
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-04-24T08:00:46.706Z

Reserved: 2026-01-05T09:26:06.214Z

Link: CVE-2026-21724

cve-icon Vulnrichment

Updated: 2026-03-27T13:42:53.364Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:03.227

Modified: 2026-04-14T01:00:10.760

Link: CVE-2026-21724

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T20:06:18Z

Links: CVE-2026-21724 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:40Z

Weaknesses