{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27877", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-02-24T14:30:17.726Z", "datePublished": "2026-03-27T14:02:11.889Z", "dateUpdated": "2026-03-27T14:56:34.782Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:54.740Z"}, "datePublic": "2026-03-27T13:59:46.831Z", "title": "Public dashboards discloses all direct mode datasources", "descriptions": [{"lang": "en", "value": "When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security."}], "affected": [{"vendor": "Grafana", "product": "Grafana", "platforms": ["OnPrem", "Cloud"], "defaultStatus": "unaffected", "versions": [{"version": "v9.3.0", "status": "affected", "versionType": "semver", "lessThan": "v11.6.14"}, {"version": "v12.0.0", "status": "affected", "versionType": "semver", "lessThan": "v12.1.10"}, {"version": "v12.2.0", "status": "affected", "versionType": "semver", "lessThan": "v12.2.8"}, {"version": "v12.3.0", "status": "affected", "versionType": "semver", "lessThan": "v12.3.6"}, {"version": "v12.4.0", "status": "affected", "versionType": "semver", "lessThan": "v12.4.2"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["broken-link"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:56:26.128138Z", "id": "CVE-2026-27877", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:56:34.782Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27877", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T14:56:26.128138Z"}}}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["broken-link"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:54:26.882Z"}}], "cna": {"title": "Public dashboards discloses all direct mode datasources", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "Grafana", "product": "Grafana", "versions": [{"status": "affected", "version": "v9.3.0", "lessThan": "v11.6.14", "versionType": "semver"}, {"status": "affected", "version": "v12.0.0", "lessThan": "v12.1.10", "versionType": "semver"}, {"status": "affected", "version": "v12.2.0", "lessThan": "v12.2.8", "versionType": "semver"}, {"status": "affected", "version": "v12.3.0", "lessThan": "v12.3.6", "versionType": "semver"}, {"status": "affected", "version": "v12.4.0", "lessThan": "v12.4.2", "versionType": "semver"}], "platforms": ["OnPrem", "Cloud"], "defaultStatus": "unaffected"}], "datePublic": "2026-03-27T13:59:46.831Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27877", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:54.740Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27877", "state": "PUBLISHED", "dateUpdated": "2026-03-27T14:56:34.782Z", "dateReserved": "2026-02-24T14:30:17.726Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-03-27T14:02:11.889Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security."}], "id": "CVE-2026-27877", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-27T15:16:51.050", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2026-27877"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://grafana.com/security/security-advisories/cve-2026-27877"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "grafana: Grafana: Information disclosure of data-source passwords via public dashboards", "id": "2452293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452293"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-201", "details": ["A flaw was found in Grafana. When public dashboards are used with direct data-sources, sensitive credentials, specifically passwords for all direct data-sources, are exposed. This information disclosure occurs even when these data-sources are not actively utilized in the dashboards. A remote attacker could exploit this to gain unauthorized access to other systems."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27877", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-27T14:02:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27877\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27877\nhttps://grafana.com/security/security-advisories/cve-2026-27877"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[9.3.0,11.6.14)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,12.1.10)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.0,12.2.8)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.0,12.3.6)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.4.0,12.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Grafana", "source": "cna", "vendor": "Grafana"}, "product": "grafana", "vendor": "grafana"}], "analysis": {"en": {"generated_at": "2026-03-29T21:20:51.214593+00:00", "value": {"mitigation_remediation": ["Apply the latest Grafana patch or update to the newest release that contains the fix.", "Convert all direct data\u2011source connections to proxied data\u2011sources wherever possible to limit credential exposure.", "Restrict or remove public sharing of dashboards that contain direct data sources.", "Review existing dashboards to identify and remove any exposed credentials.", "Monitor audit logs for unauthorized access to dashboards or data\u2011source credentials."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Grafana installations that expose dashboards publicly while using direct data\u2011source connections. All Grafana deployments with public dashboards and direct data\u2011source enabled are potentially impacted; specific product versions are not listed in the advisory, so administrators should check deployments that meet these conditions regardless of version.", "description_and_impact": "Grafana public dashboards that use direct data\u2011source connections expose the passwords associated with those sources. When a dashboard is shared publicly, the underlying data\u2011source credentials appear in the dashboard\u2019s configuration, allowing anyone with dashboard access to read them. An attacker who obtains these passwords can connect directly to the data sources and access, modify, or delete the underlying data, compromising confidentiality and integrity of the data stored behind those sources.", "risk_and_exploitability": "The CVSS base score is 6.5, indicating a moderate severity data disclosure risk. The EPSS score is below 1%, suggesting a low probability of exploitation observed in the wild, and the vulnerability is not listed in the CISA KEV catalogue. An attacker can exploit the flaw by requesting the public dashboard URL; the exposed credentials are present in the page source, which infers an attack vector of unauthenticated remote information disclosure. No additional conditions or elevated privileges are required to read the passwords."}}}}, "created": "2026-03-27T20:28:45.992344+00:00", "updated": "2026-03-30T07:03:54.890490+00:00", "vendors": ["grafana", "grafana$PRODUCT$grafana"]}