CVE-2026-27877 - Vulnerability Details

Description

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.

No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

Published: 2026-03-27

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to obtain passwords for all direct data‑sources that are associated with a public dashboard, even if those data‑sources are not used in the dashboard tiles. Exposing these credentials can enable the attacker to access the underlying databases or other systems that the data‑sources connect to, compromising data confidentiality. This weakness is a classic example of sensitive information exposure, allowing an attacker to read or exploit credentials that should remain private.

Affected Systems

Grafana dashboards that are marked public and use direct data‑source connections. No specific product versions were disclosed in the advisory; it applies to all Grafana deployments that have not yet applied the vendor patch for CVE‑2026‑27877.

Risk and Exploitability

The CVSS score of 6.5 classifies the vulnerability as moderate severity. Because the attack vector involves a publicly exposed dashboard, any individual with network access to the Grafana instance can exploit the flaw, making it relatively easy for an external actor to retrieve credentials. The EPSS score is not provided and the vulnerability is not currently listed in the CISA KEV catalog, but the potential damage from credential compromise is significant. The attack is straightforward: access any public dashboard that contains direct data‑source links, and the passwords are rendered in the rendered HTML.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Grafana

unaffected

Version	Status	Constraints
`v9.3.0`	affected	< v11.6.14
`v12.0.0`	affected	< v12.1.10
`v12.2.0`	affected	< v12.2.8
`v12.3.0`	affected	< v12.3.6
`v12.4.0`	affected	< v12.4.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the Grafana vendor patch that fixes CVE‑2026‑27877.
Convert all direct data‑source connections to proxied data‑source connections where possible.
If the patch is unavailable, restrict public dashboard access to trusted users or disable public dashboards entirely.
Review and rotate any database credentials that may have been exposed.
Monitor Grafana logs for unauthorized data‑source access attempts.

Generated by OpenCVE AI on March 27, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://grafana.com/security/security-advisories/cve-2026-27877
https://nvd.nist.gov/vuln/detail/CVE-2026-27877
https://www.cve.org/CVERecord?id=CVE-2026-27877

History

Sat, 28 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-201
References		https://nvd.nist.gov/vuln/detail/CVE-2026-27877 https://www.cve.org/CVERecord?id=CVE-2026-27877
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200

Fri, 27 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Mar 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Title		Public dashboards discloses all direct mode datasources
References		https://grafana.com/security/security-advisories/cve-2026-27877
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published: 2026-03-27T14:02:11.889Z

Updated: 2026-03-27T14:56:34.782Z

Reserved: 2026-02-24T14:30:17.726Z

Link: CVE-2026-27877

Vulnrichment

Updated: 2026-03-27T14:54:26.882Z

NVD

Status : Received

Published: 2026-03-27T15:16:51.050

Modified: 2026-03-27T15:16:51.050

Link: CVE-2026-27877

Redhat

Severity : Important

Publid Date: 2026-03-27T14:02:11Z

Links: CVE-2026-27877 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T20:28:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object