Cyber Resilience

CVE-2026-21721

HighUpdated

Published: 27 January 2026

Published
27 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0039 30.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21721 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Grafana Grafana. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21721 is a vulnerability in Grafana's dashboard permissions API, where the API does not verify the target dashboard scope and only checks for the dashboards.permissions:* action. This flaw enables a user with permission management rights on one dashboard to read and modify permissions on other dashboards, resulting in an organization-internal privilege escalation. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-863 (Incorrect Authorization). It was published on 2026-01-27.

The attack requires low privileges, specifically the ability to manage permissions on at least one dashboard, along with network access to the Grafana instance. Exploitation has low complexity, needs no user interaction, and maintains unchanged scope. A successful attacker can achieve high confidentiality impact by reading permissions on other dashboards and high integrity impact by modifying them, facilitating broader privilege escalation within the organization.

Grafana has published a security advisory at https://grafana.com/security/security-advisories/cve-2026-21721 detailing the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is…

more

an organization‑internal privilege escalation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authorization bypass in dashboard permissions API directly enables exploitation for internal privilege escalation from low-privileged dashboard access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33377Same product: Grafana Grafana
CVE-2026-27880Same product: Grafana Grafana
CVE-2026-21720Same product: Grafana Grafana
CVE-2026-27876Same product: Grafana Grafana
CVE-2026-27877Same product: Grafana Grafana
CVE-2026-33376Same product: Grafana Grafana
CVE-2025-64421Shared CWE-863
CVE-2026-41404Shared CWE-863
CVE-2024-44305Shared CWE-863
CVE-2026-4639Shared CWE-863

Affected Assets

grafana
grafana
11.6.9, 12.0.8, 12.1.5, 12.2.3, 12.3.0 · 10.2.0 — 11.6.9 · 12.0.0 — 12.0.8 · 12.1.0 — 12.1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires systems to enforce approved authorizations for access to resources, directly countering the API's failure to verify target dashboard scope.

prevent

SI-2 mandates identification and correction of flaws like this incorrect authorization vulnerability in Grafana's permissions API.

prevent

AC-6 least privilege limits users' permission management rights to only necessary dashboards, reducing the potential for escalation via the flawed API.

References