Fluid Attacks Database

Description

Grafana public dashboards disclose all direct mode datasources When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.

No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel9	grafana	<0:10.2.6-22.el9_8	0:10.2.6-22.el9_8
rpm rhel10	grafana	<0:10.2.6-26.el10_2	0:10.2.6-26.el10_2
go	github.com/grafana/grafana	>=9.3.0 <11.6.14 \|\| >=12.0.0 <12.1.10 \|\| >=12.2.0 <12.2.8 \|\| >=12.3.0 <12.3.6 \|\| >=12.4.0 <12.4.2 \|\| >=1.9.2-0.20221116104934-4ee83a5f2bf4 <1.9.2-0.20260325055210-3522153e07b4	1.9.2-0.20260325055210-3522153e07b4
rpm rhel10.0	grafana	<0:10.2.6-23.el10_0	0:10.2.6-23.el10_0
rpm rhel9.6	grafana	<0:10.2.6-20.el9_6	0:10.2.6-20.el9_6

Aliases

1. CVE-2026-278772. NVD-2026-278773. OSV-2026-278774. GCVE-2026-27877

References

1. https://grafana.com/security/security-advisories/cve-2026-27877

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.