Cyber Posture

CVE-2026-21721

High

Published: 27 January 2026

Published
27 January 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0001 3.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21721 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Grafana Grafana. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

AC-3 requires systems to enforce approved authorizations for access to resources, directly countering the API's failure to verify target dashboard scope.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates identification and correction of flaws like this incorrect authorization vulnerability in Grafana's permissions API.

AC-6 Least Privilege partial match
prevent

AC-6 least privilege limits users' permission management rights to only necessary dashboards, reducing the potential for escalation via the flawed API.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Authorization bypass in dashboard permissions API directly enables exploitation for internal privilege escalation from low-privileged dashboard access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is…

more

an organization‑internal privilege escalation.

Deeper analysisAI

CVE-2026-21721 is a vulnerability in Grafana's dashboard permissions API, where the API does not verify the target dashboard scope and only checks for the dashboards.permissions:* action. This flaw enables a user with permission management rights on one dashboard to read and modify permissions on other dashboards, resulting in an organization-internal privilege escalation. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-863 (Incorrect Authorization). It was published on 2026-01-27.

The attack requires low privileges, specifically the ability to manage permissions on at least one dashboard, along with network access to the Grafana instance. Exploitation has low complexity, needs no user interaction, and maintains unchanged scope. A successful attacker can achieve high confidentiality impact by reading permissions on other dashboards and high integrity impact by modifying them, facilitating broader privilege escalation within the organization.

Grafana has published a security advisory at https://grafana.com/security/security-advisories/cve-2026-21721 detailing the vulnerability.

Details

CWE(s)
CWE-863

Affected Products

grafana
grafana
11.6.9, 12.0.8, 12.1.5, 12.2.3, 12.3.0 · 10.2.0 — 11.6.9 · 12.0.0 — 12.0.8 · 12.1.0 — 12.1.5

CVEs Like This One

CVE-2026-27877Same product: Grafana Grafana
CVE-2026-21720Same product: Grafana Grafana
CVE-2026-27876Same product: Grafana Grafana
CVE-2026-27880Same product: Grafana Grafana
CVE-2026-22806Shared CWE-863
CVE-2025-0359Shared CWE-863
CVE-2026-41344Shared CWE-863
CVE-2025-4960Shared CWE-863
CVE-2024-45328Shared CWE-863
CVE-2026-4857Shared CWE-863

References