CVE-2026-21724
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk15th percentile - higher than 15% of all known CVEs
Summary
A vulnerability has been discovered in Grafana OSS that allows an authorization bypass in the provisioning contact points API. Users with Editor role can modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Risk Assessment
Organizations may be exposed to unauthorized changes in webhook configurations, potentially leading to data leaks or unauthorized access to systems.
Recommendation
It is recommended to restrict access to the provisioning contact points API and review user roles to ensure that only authorized personnel can modify protected webhook URLs.
Original NVD description (English source)
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

