The vulnerability CVE-2026-32117 affects the ekacnet grafanacubism-panel plugin for Grafana, specifically versions 0.1.2 and earlier. This plugin integrates cubism.js visualizations into Grafana dashboards. The issue lies in the panel's zoom-link handler, which accepts a URL provided by users with dashboard Editor privileges and passes it directly to JavaScript functions window.location.assign() or window.open() without validating the URL scheme. This lack of scheme validation allows an attacker with Editor rights to supply a malicious javascript: URI. When a Viewer interacts with the panel by performing a drag-zoom operation, the malicious URI is executed in the context of the Grafana web origin, resulting in cross-site scripting (CWE-79). This can lead to arbitrary script execution, potentially allowing theft of sensitive information such as session cookies or performing actions on behalf of the user. The vulnerability requires the attacker to have Editor privileges to insert the malicious link and requires a Viewer to trigger the payload, involving user interaction. The CVSS v3.1 base score is 7.6 (high), reflecting network attack vector, low attack complexity, privileges required, user interaction, and high confidentiality impact with limited integrity impact and no availability impact. No patches or exploits in the wild are currently documented, but the vulnerability is publicly disclosed and should be addressed promptly.

This vulnerability poses a significant risk to organizations using the ekacnet grafanacubism-panel plugin in Grafana, especially those that allow multiple users with varying privilege levels. Successful exploitation can lead to the execution of arbitrary JavaScript in the context of the Grafana web application, compromising the confidentiality of sensitive data such as authentication tokens, user credentials, or internal dashboard data. Attackers could also perform unauthorized actions on behalf of the victim user, potentially leading to further compromise within the Grafana environment or connected systems. While availability is not directly impacted, the integrity of user sessions and data is at risk. Since exploitation requires Editor privileges and user interaction, the threat is somewhat constrained but remains serious in environments with many users or less stringent access controls. Organizations relying on Grafana dashboards for monitoring critical infrastructure or business metrics may face operational risks if attackers leverage this vulnerability to manipulate dashboard data or gain further access.

To mitigate this vulnerability, organizations should immediately upgrade the grafanacubism-panel plugin to a version later than 0.1.2 once available, as the current versions lack patches. Until an official patch is released, administrators should restrict dashboard Editor privileges to trusted users only, minimizing the risk of malicious URL insertion. Implement strict input validation or sanitization on URLs supplied to the zoom-link handler, ensuring only safe schemes such as http or https are allowed, and explicitly disallow javascript: or other potentially dangerous schemes. Consider disabling the zoom-link feature if it is not essential. Additionally, apply Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS attacks. Monitor Grafana logs for unusual dashboard edits or drag-zoom interactions that could indicate exploitation attempts. Educate users about the risk of interacting with untrusted dashboards or panels. Finally, maintain up-to-date backups and incident response plans to quickly recover from any compromise.