On Grafana instances using an external authentication service and having the editorsCanAdmin feature enabled, Grafana Enterprise 6.1.0 introduced a mechanism which allows any authenticated user to add external groups to any existing team, without having to be an Admin of the team. This can be used to grant a user team permissions that the user isn’t supposed to have. This vulnerability allows users to bypass access control restrictions.
The vulnerability can only be triggered if you have defined at least one team in Grafana, even if that team is unused.
Red Hat products do not ship Grafana Enterprise version, therefore they are not affected by this vulnerability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):