Public dashboards discloses all direct mode datasources
Summary
| CVE | CVE-2026-27877 |
|---|---|
| State | PUBLISHED |
| Assigner | GRAFANA |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-27 15:16:51 UTC |
| Updated | 2026-07-15 02:19:11 UTC |
| Description | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Problem Types: NVD-CWE-noinfo | CWE-312 | CWE-201 | CWE-312 CWE-312 Cleartext Storage of Sensitive Information | CWE-201 Insertion of Sensitive Information Into Sent Data
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | [email protected] | Secondary | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | CNA | DECLARED | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Grafana | Grafana | affected 9.3.0 11.6.14 semver | Not specified |
| CNA | Grafana | Grafana | affected 12.0.0 12.1.10 semver | Not specified |
| CNA | Grafana | Grafana | affected 12.2.0 12.2.8 semver | Not specified |
| CNA | Grafana | Grafana | affected 12.3.0 12.3.6 semver | Not specified |
| CNA | Grafana | Grafana | affected 12.4.0 12.4.2 semver | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | unaffected 0:10.2.6-24.el10_1 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | unaffected 0:10.2.6-26.el10_2 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10.0 Extended Update Support | unaffected 0:10.2.6-23.el10_0 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | unaffected 0:10.2.6-20.el9_7 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | unaffected 0:10.2.6-22.el9_8 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9.6 Extended Update Support | unaffected 0:10.2.6-20.el9_6 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:10226 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10223 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11416 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-27877 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| grafana.com/security/security-advisories/cve-2026-27877 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | grafana.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:19352 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19134 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27877.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11417 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-27T15:03:34.023Z | Reported to Red Hat. |
| ADP | 2026-03-27T14:02:11.889Z | Made public. |
Solutions
ADP: RHSA-2026:11417: Red Hat Enterprise Linux AppStream EUS (v. 10.0)
ADP: RHSA-2026:10223: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:19134: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:11416: Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:10226: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:19352: Red Hat Enterprise Linux AppStream (v. 9)
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.