← Back
2026-02-25 12:35CVE-2026-21725GRAFANA
PUBLISHED5.2

Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.

This requires several very stringent conditions to be met:

- The attacker must have admin access to the specific datasource prior to its first deletion.

- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.

- The attacker must delete the datasource, then someone must recreate it.

- The new datasource must not have the attacker as an admin.

- The new datasource must have the same UID as the prior datasource. These are randomised by default.

- The datasource can now be re-deleted by the attacker.

- Once 30 seconds are up, the attack is spent and cannot be repeated.

- No datasource with any other UID can be attacked.

Affected products

Grafana

Grafana

< v12.4.1 - AFFECTED

References

grafana.com

https://grafana.com/security/security-advisories/cve-2026-21725

vendor-advisory

GitHub Security Advisories

GHSA-w36g-f98m-wm99

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data...

https://github.com/advisories/GHSA-w36g-f98m-wm99

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.

This requires several very stringent conditions to be met:

  • The attacker must have admin access to the specific datasource prior to its first deletion.
  • Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.
  • The attacker must delete the datasource, then someone must recreate it.
  • The new datasource must not have the attacker as an admin.
  • The new datasource must have the same UID as the prior datasource. These are randomised by default.
  • The datasource can now be re-deleted by the attacker.
  • Once 30 seconds are up, the attack is spent and cannot be repeated.
  • No datasource with any other UID can be attacked.
nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-21725

grafana.com

https://grafana.com/security/security-advisories/cve-2026-21725

github.com

https://github.com/advisories/GHSA-w36g-f98m-wm99

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-21725
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-21725",
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "dateUpdated": "2026-02-25T12:35:43.104Z",
    "dateReserved": "2026-01-05T09:26:06.214Z",
    "datePublished": "2026-02-25T12:35:43.104Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA",
        "dateUpdated": "2026-02-25T12:35:43.104Z"
      },
      "datePublic": "2026-02-25T08:21:23.844Z",
      "title": "Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name",
      "descriptions": [
        {
          "lang": "en",
          "value": "A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.\n\nThis requires several very stringent conditions to be met:\n\n- The attacker must have admin access to the specific datasource prior to its first deletion.\n- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.\n- The attacker must delete the datasource, then someone must recreate it.\n- The new datasource must not have the attacker as an admin.\n- The new datasource must have the same UID as the prior datasource. These are randomised by default.\n- The datasource can now be re-deleted by the attacker.\n- Once 30 seconds are up, the attack is spent and cannot be repeated.\n- No datasource with any other UID can be attacked."
        }
      ],
      "affected": [
        {
          "vendor": "Grafana",
          "product": "Grafana",
          "platforms": [
            "OnPrem"
          ],
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "v11.0.0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "v12.4.1"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://grafana.com/security/security-advisories/cve-2026-21725",
          "tags": [
            "vendor-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
            "baseScore": 2.6,
            "baseSeverity": "LOW"
          }
        }
      ]
    }
  }
}