Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Grafana Incorrect Permission Assignment for Critical Resource Vulnerability - CVE-2026-21727 - Vulnerability Database
Grafana

Grafana Incorrect Permission Assignment for Critical Resource Vulnerability - CVE-2026-21727

Low
Reference: CVE-2026-21727
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-21727
Title: Grafana Incorrect Permission Assignment for Critical Resource Vulnerability
Overview:

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: quot Cross-Tenant Legacy Correlation Disclosure and Deletionquot date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: quot3.3quot cvss_vector: quotCVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:Nquot fixed_versions: - quotgt11.6.11 gt12.0.9 gt12.1.6 gt12.2.4quot --- A cross-tenant isolation vulnerability was found in Grafanas Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id 0 records to be returned across organizations a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in gt11.6.11 gt12.0.9 gt12.1.6 and gt12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.