The vulnerability in Grafana 12.3.0 arises because the dashboard permissions API only checks if a user has the dashboards.permissions:* action but does not verify that the user is operating within the scope of the intended target dashboard. Consequently, a user authorized to manage permissions on one dashboard can escalate privileges by accessing and modifying permissions on other dashboards within the organization. This is classified under CWE-863 (Incorrect Authorization). The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) reflects network attack vector, low attack complexity, requiring low privileges but no user interaction, with high confidentiality and integrity impact and no availability impact.

An attacker with permission management rights on any single dashboard can read and modify permissions on all other dashboards in the organization. This leads to unauthorized access and control over dashboards, potentially exposing sensitive data or allowing further privilege escalations within the organization. There is no impact on system availability. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict permission management rights to trusted users only and monitor for unusual permission changes. Avoid granting broad dashboards.permissions:* rights unnecessarily. Follow Grafana's official channels for updates on patches or temporary mitigations.