anonhaven
Ad

CVE-2026-21727

LOW CVSS 3.1: 3.3
Updated Apr 17, 2026
Grafana
Parameter Value
CVSS 3.3 (LOW)
Vendor Grafana
Public PoC No

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4.

Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

References 1

https://grafana.com/security/security-advisories/cve-2026-21727
security@grafana.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-28375

Grafana

6.5

CVE-2026-27879

Grafana

6.5

CVE-2026-27876

Grafana

9.1

CVE-2026-28377

Grafana

7.5

CVE-2026-33375

Grafana

6.5