2358556 – (CVE-2025-3260) CVE-2025-3260 grafana: Unauthorized Dashboard Access in Grafana

Bug 2358556 (CVE-2025-3260) - CVE-2025-3260 grafana: Unauthorized Dashboard Access in Grafana

Summary: CVE-2025-3260 grafana: Unauthorized Dashboard Access in Grafana

Keywords:
Status:	NEW
Alias:	CVE-2025-3260
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-04-09 05:42 UTC by OSIDB Bzimport
Modified:	2025-04-28 13:29 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-04-09 05:42:35 UTC

During the development of the new /apis/dashboard.grafana.app/* endpoints in Grafana 11.6.x, a security vulnerability has been introduced that leads to permissions being ignored for dashboards and folders. Users with the Viewer role can view all dashboards, even if they don’t have permissions to view those dashboards.Users with the Editor role can view/edit/delete all dashboards, even if they don’t have permissions to view/edit/delete those dashboards.When anonymous authentication is configured with an editor role, anonymous users will be able to create/edit/delete all dashboards.

The vulnerability impacts instances that are running Grafana 11.6.0.

Note You need to log in before you can comment on or make changes to this bug.