Cross-Tenant Isolation Flaw in Grafana Affecting Legacy Correlation Records
CVE-2026-21727

3.3LOW

Key Information:

Vendor: Grafana
Status: Grafana Correlations
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-21727?

A vulnerability in Grafana's Correlations feature allows users with data source management privileges to access and delete legacy correlation records belonging to other organizations. This issue arises due to a lapse in cross-tenant isolation where org_id = 0 records can be returned across different organizations. This affects any correlations created prior to Grafana version 10.2. Users are advised to upgrade to versions 11.6.11, 12.0.9, 12.1.6, or 12.2.4 to mitigate this issue.

Affected Version(s)

Grafana Correlations OnPrem 10.2.0 < 12.4.0

References

https://grafana.com/security/security-advisories/cve-2026...

vendor-advisory

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Jan 5, 2026

CVE-2026-21727 Data

JSON