Authentication Flaw in Grafana Affecting User Permissions
CVE-2025-3260

8.3HIGH

Key Information:

Vendor: Grafana
Status: Grafana
Vendor: CVE Published:; 2 June 2025

Badges

📰 News Worthy

What is CVE-2025-3260?

A vulnerability in Grafana's API endpoints allows authenticated users to bypass existing permissions for dashboards and folders. This flaw enables viewers to access all dashboards and folders irrespective of their assigned permissions, while editors can not only view but also edit and delete any dashboards or folders. Furthermore, editors can create new dashboards in any folder without restrictions. This critical oversight also affects anonymous users with viewer or editor roles. Despite these issues, organization isolation boundaries are preserved, meaning access to data sources remains uncompromised.

Affected Version(s)

Grafana 11.6.0 < 11.6.1+security-01

News Articles

Tenable

CVE-2025-3260

Grafana Labs reports: During the development of a new feature in Grafana 11.6.x, a security vulnerability was introduced that allows for Viewers and Editors to bypass dashboard-specific permissions. As a result, users with the Viewer role could view all the dashboards within their org an...

References

https://grafana.com/security/security-advisories/CVE-2025...

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2025
📰
First article discovered by Tenable
Apr 29, 2025
Vulnerability Reserved
Apr 4, 2025