AIKIDO-2026-11100
mcp-grafana is vulnerable to Insertion of Sensitive Information into Log File
55
Medium Risk
This Affects:
mcp-grafanaTL;DR
mcp-grafana builds its Grafana API client with go-openapi and, when the server's debug option was enabled, passed that debug flag through to the go-openapi runtime. The go-openapi debug mode dumps full outgoing HTTP requests using httputil.DumpRequestOut, so debug logs contained the Authorization bearer header carrying the Grafana service account token, along with other sensitive headers such as Cookie, X-Access-Token, and X-Grafana-Id, all in plaintext. Anyone with access to the log output, including centralized logging systems, could read the token and impersonate the configured service account. The fix replaces the raw request dump with a logging round tripper that redacts sensitive headers before logging while leaving the actual requests unchanged.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
mcp-grafana is vulnerable to Insertion of Sensitive Information into Log File in versions 0.3.0 - 0.15.0.
How to fix this
Upgrade the mcp-grafana library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant