Bug 2358556 (CVE-2025-3260)

Summary: CVE-2025-3260 grafana: Unauthorized Dashboard Access in Grafana
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: lchilton, security-response-team, sfeifer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Grafana. This vulnerability allows users with Viewer or Editor roles to access or modify dashboards without proper permissions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-04-09 05:42:35 UTC 
During the development of the new /apis/dashboard.grafana.app/* endpoints in Grafana 11.6.x, a security vulnerability has been introduced that leads to permissions being ignored for dashboards and folders. Users with the Viewer role can view all dashboards, even if they don’t have permissions to view those dashboards.Users with the Editor role can view/edit/delete all dashboards, even if they don’t have permissions to view/edit/delete those dashboards.When anonymous authentication is configured with an editor role, anonymous users will be able to create/edit/delete all dashboards.

The vulnerability impacts instances that are running Grafana 11.6.0.