Grafana Exposure of Sensitive Information to an Unauthorized Actor Vulnerability - CVE-2025-12141

In Grafana39s alerting system users with edit permissions for a contact point specifically the permissions alert.notifications:write or alert.notifications.receivers:test that are granted as part of the fixed role quotContact Point Writerquot which is part of the basic role Editor - can edit contact points created by other users modify the endpoint URL to a controlled server. By invoking the test functionality attackers can capture and extract redacted secure settings such as authentication credentials for third-party services (e.g. Slack tokens). This leads to unauthorized access and potential compromise of external integrations.