Grafana Direct Data-source Password Disclosure in Public Dashboards
CVE-2026-27877 Published on March 27, 2026
Public dashboards discloses all direct mode datasources
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Vulnerability Analysis
CVE-2026-27877 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Types
Cleartext Storage of Sensitive Information
The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure).
Products Associated with CVE-2026-27877
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-27877 are published in these products:
Affected Versions
Grafana:- Version 9.3.0 and below 11.6.14 is affected.
- Version 12.0.0 and below 12.1.10 is affected.
- Version 12.2.0 and below 12.2.8 is affected.
- Version 12.3.0 and below 12.3.6 is affected.
- Version 12.4.0 and below 12.4.2 is affected.
- Version 0:10.2.6-24.el10_1 and below * is unaffected.
- Version 0:10.2.6-26.el10_2 and below * is unaffected.
- Version 0:10.2.6-23.el10_0 and below * is unaffected.
- Version 0:10.2.6-20.el9_7 and below * is unaffected.
- Version 0:10.2.6-22.el9_8 and below * is unaffected.
- Version 0:10.2.6-20.el9_6 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.