CVE-2026-27877: Public dashboards discloses all direct mode datasources
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Security readout for executives and security teams
Plain-English summary
This Grafana issue can expose passwords for direct-mode data sources through public dashboards, even when those data sources are not used by the dashboard. The business risk is credential disclosure, not service outage. Proxied data sources are stated not to expose passwords.
Executive priority
Treat as high priority for internet-facing or partner-accessible Grafana deployments. Prioritize systems with public dashboards and direct datasource credentials, because leaked passwords can enable follow-on access to databases or observability backends.
Technical view
CVE-2026-27877 is a high-severity Grafana information disclosure issue affecting public dashboards with direct data-sources. The CVSS 3.1 score is 7.5, network exploitable, low complexity, no privileges or user interaction, with high confidentiality impact only.
Likely exposure
Exposure is likely where Grafana public dashboards are enabled and direct-mode data sources with passwords exist. The bundle lists Grafana versions 9.3.0, 12.0.0, 12.2.0, 12.3.0, and 12.4.0 as affected, with default status otherwise unaffected.
Exploitation context
The source bundle does not show CISA KEV listing or cited evidence of active exploitation. The risk is still material because the condition is remotely reachable and can disclose stored datasource passwords without authentication or user interaction.
Researcher notes
The vulnerability maps to CWE-201 and CWE-312. Sources identify confidentiality-only impact and state proxied datasource passwords are not exposed. Available bundle evidence does not include exploit artifacts, detailed vulnerable code paths, or exact fixed upstream versions.
Mitigation direction
Convert direct data sources to proxied data sources where possible.
Review the Grafana advisory for fixed-version or configuration guidance.
Review applicable Red Hat errata if using Red Hat-packaged Grafana.
Rotate passwords for exposed direct data sources after remediation.
Avoid public dashboards that coexist with direct datasource credentials until remediated.
Validation and detection
Inventory Grafana instances and versions against the affected list.
Identify public dashboards enabled on each Grafana instance.
List direct-mode data sources and confirm whether passwords are configured.
Confirm proxied data sources are not treated as exposed by this CVE.
Check vendor advisories for fixed package status before closure.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-201: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.