CVE-2025-3717 is a concurrency-related vulnerability classified under CWE-653 (Insufficient Control of a Resource Through its Lifetime) found in the Grafana Snowflake Datasource Plugin versions from 1.5.0 up to before 1.14.1. The issue manifests when OAuth passthrough authentication is enabled on the datasource, and multiple users simultaneously use the same datasource within a single Grafana instance. Under these conditions, the plugin may incorrectly associate query results with the wrong user identifier, causing data intended for one user to be accessible by another. This flaw stems from improper handling of user session or token context during concurrent access, leading to a race condition or state confusion. The vulnerability affects confidentiality by potentially exposing sensitive data to unauthorized users but does not affect data integrity or availability. The CVSS 4.0 score is 2.1 (low severity), reflecting the need for user interaction, low privileges, and limited impact scope. No known exploits are currently reported in the wild. The vulnerability is relevant for organizations leveraging Grafana for data visualization with Snowflake as a backend and using OAuth passthrough for authentication, especially in multi-user environments where datasources are shared.

For European organizations, the primary impact is unauthorized disclosure of data queried through the Snowflake datasource in Grafana. This could lead to exposure of sensitive business intelligence or personal data if users access dashboards concurrently and the datasource is shared. While the vulnerability does not allow data modification or system disruption, the confidentiality breach could violate GDPR and other data protection regulations, resulting in compliance risks and reputational damage. Organizations relying on Grafana for critical analytics or regulatory reporting may face operational risks if sensitive data is leaked. The impact is heightened in sectors with strict data privacy requirements such as finance, healthcare, and government. However, the low CVSS score and absence of known exploits suggest the threat is currently limited but should not be ignored given the potential regulatory consequences.

1. Upgrade the Grafana Snowflake Datasource Plugin to version 1.14.1 or later, where the vulnerability is patched. 2. Avoid enabling OAuth passthrough on datasources shared among multiple users concurrently. Instead, configure individual datasources per user or use alternative authentication methods that isolate user sessions. 3. Implement strict access controls and auditing on Grafana instances to monitor datasource usage and detect anomalous access patterns. 4. Educate users and administrators about the risks of sharing datasources with OAuth passthrough enabled. 5. Regularly review and update Grafana and plugin configurations to align with security best practices, including session management and authentication isolation. 6. If immediate upgrade is not possible, consider restricting access to affected datasources to trusted users only and limit concurrent usage scenarios.