Authorization Bypass in Grafana's Datasource Proxy API
CVE-2025-3454
5MEDIUM
What is CVE-2025-3454?
A vulnerability in Grafana's datasource proxy API permits users with limited permissions to bypass authorization checks by manipulating URL paths. By adding an extra slash character, unauthorized access to sensitive GET endpoints in Alertmanager and Prometheus datasources can be achieved. This flaw primarily impacts datasources with route-specific permissions, increasing the risk of data exposure to unauthorized individuals.
Affected Version(s)
Grafana 11.6.0 < 11.6.0+security-01
Grafana 11.5.0 < 11.5.3+security-01
Grafana 11.4.0 < 11.4.3+security-01
References
CVSS V3.1
Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved