Bug 2452293 (CVE-2026-27877)

Summary: CVE-2026-27877 grafana: Grafana: Information disclosure of data-source passwords via public dashboards
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: lchilton, sfeifer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Grafana. When public dashboards are used with direct data-sources, sensitive credentials, specifically passwords for all direct data-sources, are exposed. This information disclosure occurs even when these data-sources are not actively utilized in the dashboards. A remote attacker could exploit this to gain unauthorized access to other systems.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2452446    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-27 15:03:57 UTC 
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.

No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Comment 2 errata-xmlrpc 2026-04-23 22:52:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:10223 https://access.redhat.com/errata/RHSA-2026:10223
Comment 3 errata-xmlrpc 2026-04-24 07:44:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:10226 https://access.redhat.com/errata/RHSA-2026:10226
Comment 4 errata-xmlrpc 2026-04-28 22:28:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:11417 https://access.redhat.com/errata/RHSA-2026:11417
Comment 5 errata-xmlrpc 2026-04-28 22:39:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:11416 https://access.redhat.com/errata/RHSA-2026:11416
Comment 6 errata-xmlrpc 2026-05-19 16:06:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19134 https://access.redhat.com/errata/RHSA-2026:19134
Comment 7 errata-xmlrpc 2026-05-19 21:38:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19352 https://access.redhat.com/errata/RHSA-2026:19352