CVE-2026-32117 is a cross-site scripting vulnerability classified under CWE-79 affecting the ekacnet grafanacubism-panel plugin for Grafana, specifically versions 0.1.2 and earlier. The vulnerability stems from improper neutralization of input during web page generation. The plugin’s zoom-link handler takes a URL supplied by a user with dashboard editor privileges and passes it directly to JavaScript functions window.location.assign() or window.open() without validating the URL scheme. This lack of validation allows an attacker with editor privileges to craft a malicious URL using the javascript: URI scheme. When a viewer interacts with the panel by performing a drag-zoom action, the malicious JavaScript executes in the context of the Grafana origin, enabling potential theft of sensitive information such as session cookies, or unauthorized actions within the Grafana environment. The vulnerability requires the attacker to have dashboard editor privileges, which limits the initial attack surface, and user interaction (drag-zoom) to trigger the payload. The CVSS v3.1 base score is 7.6, reflecting network attack vector, low attack complexity, privileges required (editor), user interaction required, scope change, high confidentiality impact, low integrity impact, and no availability impact. No patches or exploits are currently publicly available, but the vulnerability is publicly disclosed and should be addressed promptly. The root cause is the failure to validate or sanitize URLs before passing them to sensitive browser APIs, allowing execution of arbitrary JavaScript code.

The primary impact of this vulnerability is the potential compromise of confidentiality within Grafana instances using the vulnerable plugin. An attacker with editor privileges can execute arbitrary JavaScript in the context of the Grafana web application, potentially stealing session cookies, tokens, or other sensitive data accessible to the browser. This can lead to account takeover or unauthorized access to dashboards and data visualizations. The integrity impact is limited but could allow manipulation of the user interface or injection of misleading information. Availability is not affected. Since exploitation requires editor privileges, the risk is mitigated by restricting such privileges to trusted users. However, in environments where editor roles are widely granted or compromised, this vulnerability could facilitate lateral movement or privilege escalation. Organizations relying on Grafana for monitoring critical infrastructure or business data could face significant operational and reputational risks if attackers leverage this vulnerability to gain unauthorized access or disrupt monitoring workflows.

To mitigate CVE-2026-32117, organizations should first upgrade the grafanacubism-panel plugin to a version later than 0.1.2 once a patch is released. Until then, restrict dashboard editor privileges strictly to trusted and verified users to minimize the risk of malicious URL injection. Implement input validation and sanitization on URLs supplied to the zoom-link handler, ensuring that only safe schemes such as http and https are allowed, and explicitly block javascript: or other dangerous schemes. Consider disabling or restricting the use of the cubism-panel plugin if it is not essential. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and untrusted JavaScript. Monitor Grafana logs for unusual dashboard edits or suspicious drag-zoom actions. Educate users about the risk of interacting with untrusted dashboards. Finally, maintain up-to-date Grafana and plugin versions and subscribe to vendor security advisories for timely patching.