CVE-2026-21722 is a vulnerability identified in the Grafana open-source analytics and monitoring platform, specifically affecting versions 9.3.0, 12.0.0, 12.2.0, and 12.3.0. The issue arises from improper enforcement of annotation timerange restrictions on public dashboards with annotations enabled. Normally, public dashboards can be locked to a specific timerange to restrict data visibility. However, due to this vulnerability, the annotation timerange was not constrained to the locked timerange, allowing anyone accessing the public dashboard to read the entire history of annotations visible on that dashboard, including annotations outside the locked timerange. Importantly, this does not expose annotations that are not already visible on the public dashboard, so it does not leak data beyond the dashboard's public scope. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity level, with an attack vector of network (remote), no privileges required, no user interaction, and limited confidentiality impact. There is no indication of integrity or availability impact. No known exploits have been reported in the wild as of the publication date. The root cause is a failure to properly restrict annotation queries to the locked timerange, which could be addressed by patching Grafana to enforce timerange limits on annotations consistently. This vulnerability is relevant for organizations exposing Grafana dashboards publicly with annotations enabled and relying on timerange locking to limit data exposure.

The primary impact of CVE-2026-21722 is a confidentiality risk where sensitive historical annotation data on public Grafana dashboards may be exposed beyond intended time restrictions. Organizations that use Grafana dashboards publicly to share monitoring or analytics data with annotations could inadvertently reveal more historical context than intended, potentially disclosing sensitive operational or security-related information embedded in annotations. Although the vulnerability does not allow access to annotations outside the public dashboard's visibility scope, the extended timerange exposure could still provide attackers or unauthorized viewers with additional insight into system events or incidents. This could aid reconnaissance or social engineering efforts. Since the vulnerability does not affect integrity or availability, the risk is limited to information disclosure. The ease of exploitation (no authentication or user interaction required) increases the likelihood of opportunistic scanning or data harvesting. Organizations relying on Grafana for critical infrastructure monitoring, cloud services, or industrial control systems could face reputational damage or compliance issues if sensitive annotation data is exposed. However, the lack of known exploits and the medium severity score suggest the threat is moderate but should not be ignored.

To mitigate CVE-2026-21722, organizations should promptly update affected Grafana instances to versions where this vulnerability is fixed once patches are released by the vendor. Until patches are available, administrators should consider disabling public dashboards with annotations enabled or restrict public access using network-level controls such as VPNs, IP whitelisting, or authentication gateways. Reviewing and minimizing the use of annotations on public dashboards can reduce exposure. Additionally, implementing strict access controls and monitoring for unusual access patterns to public dashboards can help detect exploitation attempts. Organizations should audit existing dashboards to verify timerange locking is enforced as expected and remove any sensitive annotation data from publicly accessible dashboards. Employing Web Application Firewalls (WAFs) with custom rules to detect abnormal annotation queries may provide temporary protection. Finally, educating dashboard creators about the risks of exposing annotations publicly and enforcing internal policies on dashboard publication can reduce future risk.