- 139/2026
- High
Grafana has released security updates to fix several vulnerabilities across multiple Grafana products.
The addressed vulnerabilities could allow the attacker to perform denial-of-service attacks, obtain sensitive information, gain elevated privileges, manipulate files, or bypass security restrictions on the affected systems.
Sample of the addressed vulnerabilities:
1. Grafana Auth Proxy IPv6 Whitelist Bypass Vulnerability (CVE-2026-33376):
- CVSS: 7.4
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Consequences: Security Bypass
2. Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin Vulnerability (CVE-2026-33377):
- CVSS: 7.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
Vulnerabilities
- CVE-2026-33376
- CVE-2026-28380
- CVE-2026-33377
- CVE-2026-33378
- CVE-2026-28376
- CVE-2026-28383
- CVE-2026-28374
- CVE-2026-33380
- CVE-2026-33381
- CVE-2026-28379
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.