AIKIDO-2025-10385

Grafana is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Exposure of Sensitive Information to an Unauthorized ActorCVE-2025-3415 Published Jun 19, 2025

Medium Risk

This Affects:

Grafana

10.0.0 - 10.4.18

Fixed in 10.4.19

11.0.0 - 11.2.9

Fixed in 11.2.10

11.3.0 - 11.3.7

Fixed in 11.3.8

11.4.0 - 11.4.5

Fixed in 11.4.6

11.5.0 - 11.5.5

Fixed in 11.5.6

11.6.0 - 11.6.2

Fixed in 11.6.3

12.0.0 - 12.0.0

Fixed in 12.0.1

Are you affected? Scan for Free

TL;DR

Affected versions of this package allow unauthorized access to DingDing contact points, potentially exposing configured DingDing alerting URLs to users with Viewer permissions and leaking sensitive data. An attacker with Viewer access can retrieve the DingDing integration URL, including API keys, enabling unauthorized interactions with the DingDing alerting service.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

Grafana is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in versions 10.0.0 - 10.4.18, 11.0.0 - 11.2.9, 11.3.0 - 11.3.7, 11.4.0 - 11.4.5, 11.5.0 - 11.5.5, 11.6.0 - 11.6.2 and 12.0.0 - 12.0.0.