2458704 – (CVE-2025-12141) CVE-2025-12141 Grafana: Grafana: Information disclosure of secure settings via contact point modification

Bug 2458704 (CVE-2025-12141) - CVE-2025-12141 Grafana: Grafana: Information disclosure of secure settings via contact point modification

Summary: CVE-2025-12141 Grafana: Grafana: Information disclosure of secure settings vi...

Keywords:
Status:	NEW
Alias:	CVE-2025-12141
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2458890
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-15 16:01 UTC by OSIDB Bzimport
Modified:	2026-04-16 06:12 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-15 16:01:33 UTC

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.

Note You need to log in before you can comment on or make changes to this bug.