Unauthorized Access in Grafana Alerting System Affecting Contact Point Permissions
CVE-2025-12141

1.3LOW

Key Information:

Vendor: Grafana
Status: Grafana Alerting
Vendor: CVE Published:; 15 April 2026

What is CVE-2025-12141?

The vulnerability in Grafana's alerting system stems from a misconfiguration of permissions associated with the 'Contact Point Writer' role. Users possessing edit rights for contact points, specifically those allowed to execute 'alert.notifications:write' or 'alert.notifications.receivers:test', can modify existing contact points created by others. By using the test functionality, these users can inadvertently expose sensitive settings such as authentication credentials for third-party services. This oversight enables unauthorized actors to potentially access and compromise external integrations associated with the application, raising significant security concerns.

Affected Version(s)

Grafana Alerting 8.0.0 <= 12.3.0

References

https://grafana.com/security/security-advisories/cve-2025...

CVSS V4

Score:

1.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Oct 24, 2025

CVE-2025-12141 Data

JSON