CVE-2022-31107: CWE-863: Incorrect Authorization in grafana grafana
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.
AI Analysis
Technical Summary
CVE-2022-31107 is a medium-severity vulnerability affecting multiple versions of Grafana, an open-source platform widely used for monitoring and observability. The flaw is an incorrect authorization issue (CWE-863) that allows a malicious user with OAuth login access to take over another user's Grafana account under specific conditions. The vulnerability exists in Grafana versions from 5.3 up to but not including patched versions 8.3.10, 8.4.10, 8.5.9, and 9.0.3. The attack requires that the malicious user is authorized to log into the Grafana instance via a configured OAuth Identity Provider (IdP) that supplies a login name. If the attacker’s external user ID and email are not already linked to an existing Grafana account, and the attacker knows the target user’s Grafana username, the attacker can manipulate the OAuth login flow by setting their OAuth username to the target’s username. Due to the way Grafana links external OAuth identities to internal user accounts during login, this allows the attacker to gain access to the target user’s account without needing the target’s credentials. This vulnerability does not require the attacker to have prior access to the target account but does require knowledge of the target’s username and the ability to authenticate via OAuth. The flaw can be mitigated by disabling OAuth login or ensuring all OAuth users have pre-linked Grafana accounts associated with their email addresses. Patched versions have been released to address this issue. No known exploits in the wild have been reported to date.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of monitoring and observability data managed through Grafana. Unauthorized access to user accounts could allow attackers to view sensitive operational metrics, modify dashboards, or disrupt monitoring workflows, potentially masking other malicious activities or causing operational blind spots. This could impact incident response, system reliability, and compliance with data protection regulations such as GDPR if sensitive information is exposed. The vulnerability’s exploitation requires OAuth login capability, which is common in enterprise environments leveraging single sign-on (SSO) solutions. Therefore, organizations using OAuth with Grafana are at risk, especially if user accounts are not properly linked or if OAuth login is widely enabled without strict user provisioning controls. The attack could also facilitate lateral movement within an organization’s monitoring infrastructure, increasing the potential damage. Although no active exploitation is known, the ease of exploitation under the stated conditions and the widespread use of Grafana in European enterprises and public sector organizations elevate the threat level.
Mitigation Recommendations
1. Upgrade Grafana instances to the latest patched versions (>= 8.3.10, 8.4.10, 8.5.9, or 9.0.3) as soon as possible to eliminate the vulnerability. 2. If immediate upgrade is not feasible, disable OAuth login temporarily to prevent exploitation. 3. Enforce strict user provisioning policies ensuring that every user authorized via OAuth has a corresponding Grafana account linked by email before enabling OAuth login. 4. Audit existing user accounts and OAuth configurations to identify any accounts that could be vulnerable due to missing links between OAuth identities and Grafana accounts. 5. Monitor Grafana login logs for suspicious OAuth login attempts, especially those where usernames do not match expected email or user ID mappings. 6. Implement network segmentation and access controls to limit exposure of Grafana instances to only trusted users and networks. 7. Educate administrators and users about the risks of OAuth misconfiguration and the importance of secure identity management practices. 8. Consider additional multi-factor authentication (MFA) layers at the OAuth provider level to reduce risk of account takeover.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Belgium, Poland, Finland
CVE-2022-31107: CWE-863: Incorrect Authorization in grafana grafana
Description
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.
AI-Powered Analysis
Technical Analysis
CVE-2022-31107 is a medium-severity vulnerability affecting multiple versions of Grafana, an open-source platform widely used for monitoring and observability. The flaw is an incorrect authorization issue (CWE-863) that allows a malicious user with OAuth login access to take over another user's Grafana account under specific conditions. The vulnerability exists in Grafana versions from 5.3 up to but not including patched versions 8.3.10, 8.4.10, 8.5.9, and 9.0.3. The attack requires that the malicious user is authorized to log into the Grafana instance via a configured OAuth Identity Provider (IdP) that supplies a login name. If the attacker’s external user ID and email are not already linked to an existing Grafana account, and the attacker knows the target user’s Grafana username, the attacker can manipulate the OAuth login flow by setting their OAuth username to the target’s username. Due to the way Grafana links external OAuth identities to internal user accounts during login, this allows the attacker to gain access to the target user’s account without needing the target’s credentials. This vulnerability does not require the attacker to have prior access to the target account but does require knowledge of the target’s username and the ability to authenticate via OAuth. The flaw can be mitigated by disabling OAuth login or ensuring all OAuth users have pre-linked Grafana accounts associated with their email addresses. Patched versions have been released to address this issue. No known exploits in the wild have been reported to date.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of monitoring and observability data managed through Grafana. Unauthorized access to user accounts could allow attackers to view sensitive operational metrics, modify dashboards, or disrupt monitoring workflows, potentially masking other malicious activities or causing operational blind spots. This could impact incident response, system reliability, and compliance with data protection regulations such as GDPR if sensitive information is exposed. The vulnerability’s exploitation requires OAuth login capability, which is common in enterprise environments leveraging single sign-on (SSO) solutions. Therefore, organizations using OAuth with Grafana are at risk, especially if user accounts are not properly linked or if OAuth login is widely enabled without strict user provisioning controls. The attack could also facilitate lateral movement within an organization’s monitoring infrastructure, increasing the potential damage. Although no active exploitation is known, the ease of exploitation under the stated conditions and the widespread use of Grafana in European enterprises and public sector organizations elevate the threat level.
Mitigation Recommendations
1. Upgrade Grafana instances to the latest patched versions (>= 8.3.10, 8.4.10, 8.5.9, or 9.0.3) as soon as possible to eliminate the vulnerability. 2. If immediate upgrade is not feasible, disable OAuth login temporarily to prevent exploitation. 3. Enforce strict user provisioning policies ensuring that every user authorized via OAuth has a corresponding Grafana account linked by email before enabling OAuth login. 4. Audit existing user accounts and OAuth configurations to identify any accounts that could be vulnerable due to missing links between OAuth identities and Grafana accounts. 5. Monitor Grafana login logs for suspicious OAuth login attempts, especially those where usernames do not match expected email or user ID mappings. 6. Implement network segmentation and access controls to limit exposure of Grafana instances to only trusted users and networks. 7. Educate administrators and users about the risks of OAuth misconfiguration and the importance of secure identity management practices. 8. Consider additional multi-factor authentication (MFA) layers at the OAuth provider level to reduce risk of account takeover.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-05-18T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9844c4522896dcbf36bd
Added to database: 5/21/2025, 9:09:24 AM
Last enriched: 6/23/2025, 3:05:53 AM
Last updated: 8/15/2025, 5:35:13 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.