← back
CVE-2026-21722

Public Dashboards time range restriction on annotations can be bypassed

CVSS 5.3 MEDIUMEPSS 0.3%CWE-863
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
12 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
Grafana · grafana/grafanaGrafana · grafana/grafana-enterprise

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://grafana.com/security/security-advisories/cve-2026-21722