logo

Database

Improper authorization control for web services In github.com/grafana/grafana

Description

Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

A patched version is available at https://github.com/grafana/grafana/releases/tag/v12.3.6.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-217242. NVD-2026-217243. OSV-2026-217244. GCVE-2026-21724

References

1. https://github.com/grafana/grafana/commit/daffe750de85b0dbf79f206a35835cf66a83d6ca2. https://github.com/grafana/grafana/releases/tag/v12.3.63. https://grafana.com/security/security-advisories/cve-2026-21724

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.