- 144/2025
- High
Grafana has released security updates to address multiple vulnerabilities affecting Grafana.
The addressed vulnerabilities could allow the remote attacker to bypass security restrictions, obtain sensitive information, or perform denial of service attacks on the affected product.
Sample of the addressed vulnerabilities:
1. Authorization Vulnerability In /apis Allows Authenticated Bypass for All Dashboard Permissions (CVE-2025-3260):
- CVSS: 8.3
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Bypass security
2. Authorization Bypass in Datasource Proxy Vulnerability (CVE-2025-3454):
- CVSS: 5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Obtain Information
Vulnerabilities
- CVE-2025-3260
- CVE-2025-3454
- CVE-2025-1088
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.