Summary
Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes critical security fixes for CVE-2022-39328.
Release 9.2.4, latest patch, also containing security fix:
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana as a service offering.
Privilege escalation
Internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana.
A race condition in the HTTP context creation could make a HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load it is possible that a call protected by a privileged middleware receives instead the middleware of a public query.
As a result, an unauthenticated user can successfully query protected endpoints.
The CVSS score for this vulnerability is 9.8 Critical
Impacted versions
All installations for Grafana versions >=9.2.x.
Solutions and mitigations
To fully address CVE-2022-39328, please upgrade your Grafana instances.
Appropriate patches have been applied to Grafana Cloud.
Reporting security issues
If you think you have found a security vulnerability, please send a report to [email protected]. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
Impact
Unauthenticated users can query arbitrary endpoints with malicious intent.
Multiple concurrent operations access a shared resource without proper synchronization, producing unpredictable results depending on timing. Typical impact: TOCTOU exploits, data corruption, or privilege escalation.
CVE-2022-39328 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (9.2.4); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2022-39328? CVE-2022-39328 is a critical-severity race condition vulnerability in github.com/grafana/grafana (go), affecting versions >= 9.2.0, < 9.2.4. It is fixed in 9.2.4. Multiple concurrent operations access a shared resource without proper synchronization, producing unpredictable results depending on timing.
- How severe is CVE-2022-39328? CVE-2022-39328 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/grafana/grafana are affected by CVE-2022-39328? github.com/grafana/grafana (go) versions >= 9.2.0, < 9.2.4 is affected.
- Is there a fix for CVE-2022-39328? Yes. CVE-2022-39328 is fixed in 9.2.4. Upgrade to this version or later.
- Is CVE-2022-39328 exploitable, and should I be worried? Whether CVE-2022-39328 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2022-39328 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2022-39328? Upgrade
github.com/grafana/grafanato 9.2.4 or later.