A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
History

Mon, 02 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 02 Jun 2025 10:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Grafana. This vulnerability allows users with Viewer or Editor roles to access or modify dashboards without proper permissions. A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}


Tue, 29 Apr 2025 06:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Grafana. This vulnerability allows users with Viewer or Editor roles to access or modify dashboards without proper permissions.

Sat, 26 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title grafana: Unauthorized Dashboard Access in Grafana
Weaknesses CWE-281
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

threat_severity

Important


cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published: 2025-06-02T10:06:39.039Z

Updated: 2025-06-02T12:14:34.036Z

Reserved: 2025-04-04T09:06:12.014Z

Link: CVE-2025-3260

cve-icon Vulnrichment

Updated: 2025-06-02T12:14:21.279Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-06-02T10:15:21.740

Modified: 2025-06-02T17:32:17.397

Link: CVE-2025-3260

cve-icon Redhat

Severity : Important

Publid Date: 2025-04-25T13:02:53Z

Links: CVE-2025-3260 - Bugzilla