CVE-2026-21722: Vulnerability in Grafana grafana/grafana
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.
AI Analysis
Technical Summary
This vulnerability in Grafana's public dashboards occurs because the annotation timerange was not limited to the locked timerange set on the dashboard. As a result, an attacker or user with access to the public dashboard could read all annotations visible on that dashboard, even those outside the locked timerange. The issue does not expose any annotations that were not already visible on the public dashboard, thus limiting the scope of information disclosure. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low complexity, no privileges or user interaction required, and limited confidentiality impact.
Potential Impact
The impact is limited to information disclosure of annotations on public Grafana dashboards beyond the locked timerange. No integrity or availability impacts are reported. No annotations outside those already visible on the public dashboard are leaked, so the exposure is constrained to data already accessible to the public dashboard viewers.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch links or vendor advisories are provided, users should monitor official Grafana channels for updates. Until a fix is available, consider disabling annotations on public dashboards or restricting dashboard access to trusted users to mitigate exposure.
CVE-2026-21722: Vulnerability in Grafana grafana/grafana
Description
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Grafana's public dashboards occurs because the annotation timerange was not limited to the locked timerange set on the dashboard. As a result, an attacker or user with access to the public dashboard could read all annotations visible on that dashboard, even those outside the locked timerange. The issue does not expose any annotations that were not already visible on the public dashboard, thus limiting the scope of information disclosure. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low complexity, no privileges or user interaction required, and limited confidentiality impact.
Potential Impact
The impact is limited to information disclosure of annotations on public Grafana dashboards beyond the locked timerange. No integrity or availability impacts are reported. No annotations outside those already visible on the public dashboard are leaked, so the exposure is constrained to data already accessible to the public dashboard viewers.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch links or vendor advisories are provided, users should monitor official Grafana channels for updates. Until a fix is available, consider disabling annotations on public dashboards or restricting dashboard access to trusted users to mitigate exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GRAFANA
- Date Reserved
- 2026-01-05T09:26:06.214Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 698d9b14c9e1ff5ad8b1f9ef
Added to database: 2/12/2026, 9:19:16 AM
Last enriched: 4/25/2026, 11:05:24 PM
Last updated: 5/13/2026, 1:37:48 PM
Views: 1086
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.