Description
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.

This requires several very stringent conditions to be met:

- The attacker must have admin access to the specific datasource prior to its first deletion.
- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.
- The attacker must delete the datasource, then someone must recreate it.
- The new datasource must not have the attacker as an admin.
- The new datasource must have the same UID as the prior datasource. These are randomised by default.
- The datasource can now be re-deleted by the attacker.
- Once 30 seconds are up, the attack is spent and cannot be repeated.
- No datasource with any other UID can be attacked.
Published: 2026-02-25
Score: 2.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Assess Impact
AI Analysis

Impact

Grafana’s datasource deletion process contains a time‑of‑create‑to‑time‑of‑use flaw that allows an attacker who once had administrative rights on a datasource to delete it again after that datasource is recreated with the same unique identifier. The flaw lies in the logic that does not invalidate a datum’s authorization when the underlying resource is regenerated within a short window. As a result, an attacker can remove a datasource that no longer belongs to them, potentially disrupting monitoring services or corrupting configuration data. This weakness is identified as CWE‑367, a classic TOCTOU bug that directly undermines access control. The vulnerability is only exploitable under a very narrow set of conditions: the attacker must retain dashboard‑level administrator rights on the original datasource; the deletion and immediate recreation must occur on the same Grafana pod; the recreated datasource must not grant the attacker new administrative privileges; the UID of the new datasource must match exactly that of the deleted one (raised by default but randomised by Grafana); and the entire sequence must be finished within thirty seconds. If any of these constraints are not satisfied, the flaw cannot be leveraged. Because the conditions are stringent, the practical risk is relatively low. The CVSS base score is 2.6, the EPSS score is reported as less than 1 %, and the vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog. Nonetheless, the impact if realized would be a full bypass of datasource‑level authorization, which could lead to a denial of service or loss of monitoring integrity.

Affected Systems

The flaw is reported against Grafana Enterprise installations; a specific version range is not listed, so any instance that employs the default datasource‑deletion logic may be vulnerable. Administrators should verify their Grafana edition and examine vendor advisories for any patch that addresses this TOCTOU bug.

Risk and Exploitability

The low CVSS score and EPSS value indicate a modest baseline severity, but the exploitability is limited by the time window, administrative privileges, and UID collision requirement. The attack vector likely involves an attacker who already controls a datasource as an administrator, and it may be confined to a single pod where the creation and deletion events occur in succession. The narrow attack surface reduces the likelihood of widespread exploitation.

Generated by OpenCVE AI on April 15, 2026 at 18:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest Grafana release that includes the vendor’s security fix once it is publicly available.
  • Configure datasource UIDs to be immutable and reject reuse of deleted identifiers; enable configuration that requires a unique UID for every datasource.
  • Limit the ability to delete datasources to a dedicated system‑administration role and remove per‑datasource administrative rights unless absolutely necessary.
  • Enable comprehensive audit logging for datasource create and delete actions and set alerts for rapid delete‑recreate activity on the same UID.

Generated by OpenCVE AI on April 15, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:grafana:grafana:*:-:*:*:enterprise:*:*:*

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Vendors & Products Grafana
Grafana grafana

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 25 Feb 2026 13:00:00 +0000

Type Values Removed Values Added
Description A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked.
Title Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name
References
Metrics cvssV3_1

{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

Grafana Grafana
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-04-24T08:00:44.700Z

Reserved: 2026-01-05T09:26:06.214Z

Link: CVE-2026-21725

cve-icon Vulnrichment

Updated: 2026-02-25T15:13:44.864Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T13:16:05.240

Modified: 2026-02-27T03:34:26.473

Link: CVE-2026-21725

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-25T12:35:43Z

Links: CVE-2026-21725 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses