AIKIDO-2025-10268

Grafana is vulnerable to Authorization Bypass

Authorization BypassCVE-2025-3454

Medium Risk

This Affects:

Grafana

8.0.0 - 10.4.17

Fixed in 10.4.18

11.0.0 - 11.2.8

Fixed in 11.2.9

11.3.0 - 11.3.5

Fixed in 11.3.6

11.4.0 - 11.4.3

Fixed in 11.4.4

11.5.0 - 11.5.3

Fixed in 11.5.4

11.6.0 - 11.6.0

Fixed in 11.6.1

TL;DR

This vulnerability, which was discovered while reviewing a pull request from an external contributor, effects Grafana's data source proxy API and allows authorization checks to be bypassed by adding an extra slash character (/) in the URL path. Among Grafana-maintained data sources, the vulnerability only affects the read paths of Prometheus (all flavors) and Alertmanager when configured with basic authorization.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

Grafana is vulnerable to Authorization Bypass in versions 8.0.0 - 10.4.17, 11.0.0 - 11.2.8, 11.3.0 - 11.3.5, 11.4.0 - 11.4.3, 11.5.0 - 11.5.3 and 11.6.0 - 11.6.0.