Authentication mechanism absence or evasion In github.com/grafana/grafana
Description
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).
Impact:
Viewers can view all dashboards/folders regardless of permissions
Editors can view/edit/delete all dashboards/folders regardless of permissions
Editors can create dashboards in any folder regardless of permissions
Anonymous users with viewer/editor roles are similarly affected
Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 0.0.0-20250521183405-c7a690348df7 |
Aliases
References