Cyber Resilience

CVE-2021-39226

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 05 October 2021

Published
05 October 2021
Modified
24 October 2025
KEV Added
25 August 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9435 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-39226 is a critical-severity Improper Authentication (CWE-287) vulnerability in Grafana Grafana. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Deeper analysis

Grafana is an open source data visualization platform affected by improper authentication and authorization flaws (CWE-287 and CWE-862) that allow access to snapshot resources. In vulnerable versions, both unauthenticated and authenticated users can retrieve the snapshot possessing the lowest database key by directly requesting the paths /dashboard/snapshot/:key or /api/snapshots/:key. When the snapshot public_mode setting is enabled, unauthenticated users can additionally delete that snapshot via /api/snapshots-delete/:deleteKey, while authenticated users can perform the same deletion regardless of the setting.

An attacker can therefore enumerate and exfiltrate snapshot contents by repeatedly accessing the lowest-key resource, then delete each snapshot after retrieval, resulting in complete loss of snapshot data while traversing the entire collection. The vulnerability carries a CVSS 3.1 score of 9.8 and requires no privileges or user interaction.

Official advisories and patches state that the issue is resolved in Grafana 8.1.6 and 7.5.11. Organizations unable to upgrade immediately are advised to deploy a reverse proxy or equivalent control to block the literal paths /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key, which have no required operational function.

EU & UK References

Vulnerability details

Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting…

more

is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.

CWE(s)
KEV Date Added
25 August 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

grafana
grafana
≤ 7.5.11 · 8.0.0 — 8.1.6
fedoraproject
fedora
34, 35

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on snapshot endpoints so that only permitted users can view or delete /api/snapshots/:key and related paths.

prevent

Requires disabling the non-essential snapshot view/delete paths that have no operational purpose and are the sole attack surface.

prevent

Boundary-protection devices (reverse proxy) can be configured to block the literal vulnerable URIs when patching is not immediately possible.

References