CVE Catalog

CVE-2026-21727

LowCVSS 3.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. A user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization.

Risk Assessment

This vulnerability may lead to unauthorized access to data between organizations, posing a risk to data confidentiality and integrity.

Recommendation

It is recommended to update Grafana to version >=11.6.11, >=12.0.9, >=12.1.6, or >=12.2.4 to mitigate this vulnerability.

Original NVD description (English source)

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS