CVE-2025-3260

medium

Description

Grafana Labs reports: During the development of a new feature in Grafana 11.6.x, a security vulnerability was introduced that allows for Viewers and Editors to bypass dashboard-specific permissions. As a result, users with the Viewer role could view all the dashboards within their org and users with the Editor role could view, edit, and delete all the dashboards in their org. Note: Organization isolation boundaries still apply, which means viewers and editors in one organization cannot view or edit dashboards in another org. Also this vulnerability does not allow users to query data via data sources they don’t have access to. The CVSS score for this vulnerability is 8.3 HIGH.

Details

Source: Mitre, NVD

Published: 2025-04-24

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N