{"api_version":"1","generated_at":"2026-04-23T04:33:41+00:00","cve":"CVE-2021-28146","urls":{"html":"https://cve.report/CVE-2021-28146","api":"https://cve.report/api/cve/CVE-2021-28146.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-28146","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-28146"},"summary":{"title":"CVE-2021-28146","description":"The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-03-22 14:15:00","updated_at":"2021-03-26 17:17:00"},"problem_types":["CWE-863"],"metrics":[],"references":[{"url":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/","name":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/","refsource":"MISC","tags":[],"title":"Release notes for Grafana 7.4.5  | Grafana Labs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/","name":"https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/","refsource":"CONFIRM","tags":[],"title":"Grafana 6.7.6, 7.3.10, and 7.4.5 released with important security fixes for Grafana Enterprise  | Grafana Labs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://grafana.com/products/enterprise/","name":"https://grafana.com/products/enterprise/","refsource":"MISC","tags":[],"title":"Grafana Enterprise | Grafana Labs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.openwall.com/lists/oss-security/2021/03/19/5","name":"https://www.openwall.com/lists/oss-security/2021/03/19/5","refsource":"CONFIRM","tags":[],"title":"oss-security - Grafana 7.4.5, 7.3.10 and 6.7.6 released with security fixes for\n Grafana Enterprose","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/","name":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/","refsource":"MISC","tags":[],"title":"Release notes for Grafana 7.3.10  | Grafana Labs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://community.grafana.com/t/release-notes-v6-7-x/27119","name":"https://community.grafana.com/t/release-notes-v6-7-x/27119","refsource":"MISC","tags":[],"title":"Release Notes v6.7.x - Releases - Grafana Community","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724","name":"https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724","refsource":"MISC","tags":[],"title":"Grafana Enterprise 6.7.6, 7.3.10 and 7.4.5 Security Update - Security Announcements - Grafana Labs Community Forums","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-28146","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28146","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"28146","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-28146","qid":"501864","title":"Alpine Linux Security Update for grafana"},{"cve":"CVE-2021-28146","qid":"730073","title":"Grafana Enterprise Multiple Security Vulnerabilities"},{"cve":"CVE-2021-28146","qid":"750959","title":"OpenSUSE Security Update for SUSE Manager Client Tools (openSUSE-SU-2021:2675-1)"},{"cve":"CVE-2021-28146","qid":"750960","title":"OpenSUSE Security Update for grafana (openSUSE-SU-2021:2662-1)"},{"cve":"CVE-2021-28146","qid":"750964","title":"OpenSUSE Security Update for grafana (openSUSE-SU-2021:1148-1)"},{"cve":"CVE-2021-28146","qid":"750980","title":"OpenSUSE Security Update for SUSE Manager Client Tools (openSUSE-SU-2021:1162-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-28146","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://community.grafana.com/t/release-notes-v6-7-x/27119","url":"https://community.grafana.com/t/release-notes-v6-7-x/27119"},{"url":"https://grafana.com/products/enterprise/","refsource":"MISC","name":"https://grafana.com/products/enterprise/"},{"refsource":"CONFIRM","name":"https://www.openwall.com/lists/oss-security/2021/03/19/5","url":"https://www.openwall.com/lists/oss-security/2021/03/19/5"},{"refsource":"CONFIRM","name":"https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/","url":"https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/"},{"refsource":"MISC","name":"https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724","url":"https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724"},{"refsource":"MISC","name":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/","url":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/"},{"refsource":"MISC","name":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/","url":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/"}]}},"nvd":{"publishedDate":"2021-03-22 14:15:00","lastModifiedDate":"2021-03-26 17:17:00","problem_types":["CWE-863"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"7.4.0","versionEndExcluding":"7.4.5","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"28146","Ordinal":"203301","Title":"CVE-2021-28146","CVE":"CVE-2021-28146","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"28146","Ordinal":"1","NoteData":"The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"28146","Ordinal":"2","NoteData":"2021-03-22","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"28146","Ordinal":"3","NoteData":"2021-03-22","Type":"Other","Title":"Modified"}]}}}