Main Vulnerability Database Vulnerabilities #VU122756

Improper access control in Grafana - CVE-2026-21722

Published: February 12, 2026

Vulnerability identifier: #VU122756

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-21722

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Grafana Labs

Affected software:
Grafana

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the application does not limit their annotation timerange to the locked timerange of the public dashboard with annotations enabled. A remote attacker can read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.

How to mitigate CVE-2026-21722

Install updates from vendor's website.

Sources

https://grafana.com/security/security-advisories/cve-2026-21722/

Improper access control in Grafana - CVE-2026-21722

Detailed vulnerability description

How to mitigate CVE-2026-21722

Sources

Please verify you're human