← Back
2026-03-26 20:6CVE-2026-21724GRAFANA
PUBLISHED5.2

Missing Protected-field Authorization in Provisioning Contact Points API

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Affected products

Grafana

Grafana OSS

< <v12.3.6 - AFFECTED

< <v.12.2.8 - AFFECTED

< <v.12.1.10 - AFFECTED

< <v11.6.14 - AFFECTED

References

grafana.com

https://grafana.com/security/security-advisories/cve-2026-21724

vendor-advisory

GitHub Security Advisories

GHSA-7g92-g4vh-hp84

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the...

https://github.com/advisories/GHSA-7g92-g4vh-hp84

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-21724

grafana.com

https://grafana.com/security/security-advisories/cve-2026-21724

github.com

https://github.com/advisories/GHSA-7g92-g4vh-hp84

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-21724
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-21724",
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "dateUpdated": "2026-03-26T20:06:18.829Z",
    "dateReserved": "2026-01-05T09:26:06.214Z",
    "datePublished": "2026-03-26T20:06:18.829Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA",
        "dateUpdated": "2026-03-26T20:06:18.829Z"
      },
      "datePublic": "2026-03-25T22:00:37.352Z",
      "title": "Missing Protected-field Authorization in Provisioning Contact Points API",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."
        }
      ],
      "affected": [
        {
          "vendor": "Grafana",
          "product": "Grafana OSS",
          "platforms": [
            "OnPrem"
          ],
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": ">=v12.3.1",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "<v12.3.6"
            },
            {
              "version": ">=v12.2.2",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "<v.12.2.8"
            },
            {
              "version": ">=v.12.1.5",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "<v.12.1.10"
            },
            {
              "version": ">=v11.6.9",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "<v11.6.14"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://grafana.com/security/security-advisories/cve-2026-21724",
          "tags": [
            "vendor-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM"
          }
        }
      ]
    }
  }
}