CVE-2021-39226

CVE-2021-39226 is a high-severity improper authentication vulnerability in github.com/grafana/grafana (go), affecting versions < 7.5.11. It is fixed in 7.5.11, 8.1.6.

Summary

Today we are releasing Grafana 7.5.11, and 8.1.6. These patch releases include an important security fix for an issue that affects all Grafana versions from 2.0.1.

Grafana Cloud instances have already been patched and an audit did not find any usage of this attack vector. Grafana Enterprise customers were provided with updated binaries under embargo.

8.1.5 contained a single fix for bar chart panels. We believe that users can expedite deployment by moving from 8.1.4 to 8.1.6 directly.

CVE-2021-39226 Snapshot authentication bypass

CVSS Score: 9.8 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

We received a security report to [email protected] on 2021-09-15 about a vulnerability in Grafana regarding the snapshot feature. It was later identified as affecting Grafana versions from 2.0.1 to 8.1.6. CVE-2021-39226 has been assigned to this vulnerability.

Attack audit

While we can not guarantee that the below will identify all attacks, if you do find something with the below, you should consider doing a full assessment.

Through reverse proxy/load balancer logs

To determine if your Grafana installation has been exploited for this vulnerability, search through your reverse proxy/load balancer access logs for instances where the path is /dashboard/snapshot/:key, /api/snapshots/:key or /api/snapshots-delete/:deleteKey, and the response status code was 200 (OK).
For example, if you’re using the Kubernetes ingress-nginx controller and sending logs to Loki, use a LogQL query like {job="nginx-ingress-controller"} |= "\"status\": 200" |= "\"uri\": \"/api/snapshots/:key\"".

Through the Grafana Enterprise audit feature

If you enabled “Log web requests” in your configuration with router_logging = true, look for
"requestUri":"/api/snapshots-delete/”,“requestUri":"/api/snapshots/:key", or "type":"snapshot" in combination with "action":"delete".

Patched versions

Release 8.1.6:

Release 7.5.11:

Solutions and mitigations

Download and install the appropriate patch for your version of Grafana.

Grafana Cloud instances have already been patched, and Grafana Enterprise customers were provided with updated binaries under embargo.

Workaround

If for some reason you cannot upgrade:

You can use a reverse proxy or similar to block access to the literal paths

  • /api/snapshots/:key
  • /api/snapshots-delete/:deleteKey
  • /dashboard/snapshot/:key
  • /api/snapshots/:key

They have no normal function and can be disabled without side effects.

Timeline and postmortem

Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.

  • 2021-09-15 14:49: Tuan Tran [email protected] sends initial report about viewing snapshots without authentication
  • 2021-09-15 15:56: Initial reproduction
  • 2021-09-15 17:10: MEDIUM severity declared
  • 2021-09-15 18:58: Workaround deployed on Grafana Cloud
  • 2021-09-15 19:15: /api/snapshots/:key found to be vulnerable as well
  • 2021-09-15 19:30: /api/snapshots/:key blocked on Grafana Cloud
  • 2021-09-16 09:31: /api/snapshots-delete/:deleteKey found to be vulnerable as well, blocked on Grafana Cloud. From this point forward, Cloud is not affected any more.
  • 2021-09-16 09:35: HIGH severity declared
  • 2021-09-16 11:19: Realization that combination of deletion and viewing allows enumeration and permanent DoS
  • 2021-09-16 11:19: CRITICAL declared
  • 2021-09-17 10:53: Determination that no weekend work is needed. While issue is CRITICAL, scope is very limited
  • 2021-09-17 14:26: Audit of Grafana Cloud concluded, no evidence of exploitation
  • 2021-09-23: Grafana Cloud instances updated
  • 2021-09-28 12:00: Grafana Enterprise images released to customers under embargo
  • 2021-10-05 17:00: Public release

Reporting security issues

If you think you have found a security vulnerability, please send a report to [email protected]. This address can be used for all of
Grafana Labs's open source and commercial products (including but not limited to Grafana, Tempo, Loki, Amixr, k6, Tanka, and Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keys.gnupg.net by searching for [security@grafana](http://keys.gnupg.net/pks/lookup?search=security@grafana&fingerprint=on&op=index.

Security announcements

We maintain a category on the community site named Security Announcements,
where we will post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to email updates to this category if you have a grafana.com account and sign in to the community site, or via updates from our Security Announcements RSS feed.

Acknowledgement

We would like to thank Tran Viet Tuan for responsibly disclosing the initially discovered vulnerability to us.

Impact

Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:

  • /dashboard/snapshot/:key, or
  • /api/snapshots/:key

If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:

  • /api/snapshots-delete/:deleteKey

Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:

  • /api/snapshots/:key, or
  • /api/snapshots-delete/:deleteKey

The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.

The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.

CVE-2021-39226 has a CVSS score of 7.3 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.5.11, 8.1.6); upgrading removes the vulnerable code path.

Affected versions

github.com/grafana/grafana (< 7.5.11) github.com/grafana/grafana (>= 8.0.0, < 8.1.6)

Security releases

github.com/grafana/grafana → 7.5.11 (go) github.com/grafana/grafana → 8.1.6 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

github.com/grafana/grafana to 7.5.11 or later; github.com/grafana/grafana to 8.1.6 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2021-39226? CVE-2021-39226 is a high-severity improper authentication vulnerability in github.com/grafana/grafana (go), affecting versions < 7.5.11. It is fixed in 7.5.11, 8.1.6. The application does not adequately verify the identity of a user, device, or process before granting access.
  2. How severe is CVE-2021-39226? CVE-2021-39226 has a CVSS score of 7.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/grafana/grafana are affected by CVE-2021-39226? github.com/grafana/grafana (go) versions < 7.5.11 is affected.
  4. Is there a fix for CVE-2021-39226? Yes. CVE-2021-39226 is fixed in 7.5.11, 8.1.6. Upgrade to this version or later.
  5. Is CVE-2021-39226 exploitable, and should I be worried? Whether CVE-2021-39226 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2021-39226 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2021-39226?
    • Upgrade github.com/grafana/grafana to 7.5.11 or later
    • Upgrade github.com/grafana/grafana to 8.1.6 or later

Other vulnerabilities in github.com/grafana/grafana

Other vulnerabilities in github.com/grafana/grafana

Stop the waste.
Protect your environment with Kodem.