{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3260", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2025-04-04T09:06:12.014Z", "datePublished": "2025-06-02T10:06:39.039Z", "dateUpdated": "2025-06-02T12:14:34.036Z"}, "containers": {"cna": {"affected": [{"product": "Grafana", "vendor": "Grafana", "versions": [{"lessThan": "11.6.1+security-01", "status": "affected", "version": "11.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).</p><p>Impact:</p><p>- Viewers can view all dashboards/folders regardless of permissions</p><p>- Editors can view/edit/delete all dashboards/folders regardless of permissions</p><p>- Editors can create dashboards in any folder regardless of permissions</p><p>- Anonymous users with viewer/editor roles are similarly affected</p><p>Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.</p>"}], "value": "A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).\n\nImpact:\n\n- Viewers can view all dashboards/folders regardless of permissions\n\n- Editors can view/edit/delete all dashboards/folders regardless of permissions\n\n- Editors can create dashboards in any folder regardless of permissions\n\n- Anonymous users with viewer/editor roles are similarly affected\n\nOrganization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-06-02T10:06:39.039Z"}, "references": [{"url": "https://grafana.com/security/security-advisories/CVE-2025-3260/"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-02T12:13:45.529554Z", "id": "CVE-2025-3260", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-02T12:14:34.036Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3260", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-02T12:13:45.529554Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-02T12:14:21.279Z"}}], "cna": {"impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Grafana", "product": "Grafana", "versions": [{"status": "affected", "version": "11.6.0", "lessThan": "11.6.1+security-01", "versionType": "semver"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/CVE-2025-3260/"}], "descriptions": [{"lang": "en", "value": "A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).\n\nImpact:\n\n- Viewers can view all dashboards/folders regardless of permissions\n\n- Editors can view/edit/delete all dashboards/folders regardless of permissions\n\n- Editors can create dashboards in any folder regardless of permissions\n\n- Anonymous users with viewer/editor roles are similarly affected\n\nOrganization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.", "supportingMedia": [{"type": "text/html", "value": "<p>A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).</p><p>Impact:</p><p>- Viewers can view all dashboards/folders regardless of permissions</p><p>- Editors can view/edit/delete all dashboards/folders regardless of permissions</p><p>- Editors can create dashboards in any folder regardless of permissions</p><p>- Anonymous users with viewer/editor roles are similarly affected</p><p>Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-06-02T10:06:39.039Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3260", "state": "PUBLISHED", "dateUpdated": "2025-06-02T12:14:34.036Z", "dateReserved": "2025-04-04T09:06:12.014Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2025-06-02T10:06:39.039Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).\n\nImpact:\n\n- Viewers can view all dashboards/folders regardless of permissions\n\n- Editors can view/edit/delete all dashboards/folders regardless of permissions\n\n- Editors can create dashboards in any folder regardless of permissions\n\n- Anonymous users with viewer/editor roles are similarly affected\n\nOrganization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources."}], "id": "CVE-2025-3260", "lastModified": "2025-06-02T17:32:17.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2025-06-02T10:15:21.740", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/CVE-2025-3260/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@grafana.com", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana: Unauthorized Dashboard Access in Grafana", "id": "2358556", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358556"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-281", "details": ["A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).\nImpact:\n- Viewers can view all dashboards/folders regardless of permissions\n- Editors can view/edit/delete all dashboards/folders regardless of permissions\n- Editors can create dashboards in any folder regardless of permissions\n- Anonymous users with viewer/editor roles are similarly affected\nOrganization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.", "A flaw was found in Grafana. This vulnerability allows users with Viewer or Editor roles to access or modify dashboards without proper permissions."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-3260", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-25T13:02:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3260\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3260"], "statement": "This vulnerability is rated with an Important severity due to its ability to completely bypass role-based access controls, allowing users with VIEWER or EDITOR roles to access, modify, or delete dashboards regardless of permissions. \nThe impact is further amplified when anonymous authentication is enabled, where unauthenticated users can perform privileged actions, significantly increasing exposure. Although organization-level isolation remains intact, the failure to enforce dashboard-level permissions undermines core security guarantees. \nIt\u2019s important to note that this issue affects only Grafana version 11.6.0, which is not included in any Red Hat supported builds, and therefore Red Hat customers are not impacted.", "threat_severity": "Important"}