When a Grafana dashboard is made public and uses direct data sources, the passwords for those data sources are exposed, even if the data sources are not referenced in the dashboard. This results in an information‑exposure vulnerability that allows an attacker to obtain credentials for databases or other services that may otherwise remain concealed. The weakness relates to improper disclosure and handling of credential information.

All Grafana deployments that permit public dashboards and configure direct data sources are vulnerable. Because the advisory does not specify a version range, we infer that every supported release that allows this configuration is affected unless a patch is applied or the direct data sources are converted to proxied data sources.

The CVSS score of 6.5 marks the issue as moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is viewing a public dashboard, inferred from the advisory’s description that credentials are revealed when a public dashboard is enabled. An attacker would therefore only need to access the public dashboard URL, which is readily available to anyone with a link or who discovers the page, making the attack straightforward and not dependent on privileged access.