{"api_version":"1","generated_at":"2026-04-23T00:42:21+00:00","cve":"CVE-2021-41244","urls":{"html":"https://cve.report/CVE-2021-41244","api":"https://cve.report/api/cve/CVE-2021-41244.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-41244","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-41244"},"summary":{"title":"CVE-2021-41244","description":"Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-11-15 20:15:00","updated_at":"2022-03-31 16:28:00"},"problem_types":["CWE-863"],"metrics":[],"references":[{"url":"https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/","name":"https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/","refsource":"MISC","tags":[],"title":"Grafana 8.2.4 released with security fixes  | Grafana Labs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20211223-0001/","name":"https://security.netapp.com/advisory/ntap-20211223-0001/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-41244 Grafana Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/11/15/1","name":"[oss-security] 20211115 Grafana 8.2.4 released with security fixes","refsource":"MLIST","tags":[],"title":"oss-security - Grafana 8.2.4 released with security fixes","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx","name":"https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx","refsource":"CONFIRM","tags":[],"title":"Fine-grained access control enables organization admins to create/modify/delete user roles in other organization · Advisory · grafana/grafana · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-41244","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41244","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"41244","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-41244","qid":"502096","title":"Alpine Linux Security Update for grafana"},{"cve":"CVE-2021-41244","qid":"690736","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for grafana (99bff2bd-4852-11ec-a828-6c3be5272acd)"},{"cve":"CVE-2021-41244","qid":"730289","title":"Grafana Enterprise Incorrect Access Control Vulnerability"},{"cve":"CVE-2021-41244","qid":"752251","title":"SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2022:2134-1)"},{"cve":"CVE-2021-41244","qid":"752995","title":"SUSE Enterprise Linux Security Update for grafana (SUSE-SU-2022:4428-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-41244","STATE":"PUBLIC","TITLE":"Cross organization admin control in Grafana"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"grafana","version":{"version_data":[{"version_value":">= 8.0.0, < 8.2.4"}]}}]},"vendor_name":"grafana"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-610: Externally Controlled Reference to a Resource in Another Sphere"}]}]},"references":{"reference_data":[{"name":"https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx","refsource":"CONFIRM","url":"https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx"},{"name":"https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/","refsource":"MISC","url":"https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/"},{"refsource":"MLIST","name":"[oss-security] 20211115 Grafana 8.2.4 released with security fixes","url":"http://www.openwall.com/lists/oss-security/2021/11/15/1"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20211223-0001/","url":"https://security.netapp.com/advisory/ntap-20211223-0001/"}]},"source":{"advisory":"GHSA-mpwp-42x6-4wmx","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-11-15 20:15:00","lastModifiedDate":"2022-03-31 16:28:00","problem_types":["CWE-863"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.2.4","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"41244","Ordinal":"216939","Title":"CVE-2021-41244","CVE":"CVE-2021-41244","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"41244","Ordinal":"1","NoteData":"Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"41244","Ordinal":"2","NoteData":"2021-11-15","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"41244","Ordinal":"3","NoteData":"2021-12-23","Type":"Other","Title":"Modified"}]}}}