Grafana Alert: Medium-Severity Flaw (CVE-2025-3415) Exposes DingDing API Keys

Grafana Labs has released a round of security patches to address CVE-2025-3415, a medium-severity vulnerability (CVSS 4.3) that could expose sensitive configuration data in Grafana Alerting, specifically the DingDing contact points.

“An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight,” Grafana Labs disclosed in the advisory.

The vulnerability affects Grafana versions up to and including 12.0.1, and was introduced by misconfigured access control, which allowed users with Viewer-level permissions to access alerting URLs in plain text.

When Grafana Alerting is configured with DingDing as a contact point, the webhook URL is stored in the configuration, often containing sensitive information or API keys.

Due to the flaw described in CVE-2025-3415, any user with Viewer-level permissions in the Grafana interface could:

View the full webhook URL
Copy the DingDing token or API key embedded in the URL
Potentially send spoofed or malicious alerts via the DingDing integration

“A configured DingDing contact point in Grafana Alerting can be exposed in plain text to Grafana users with Viewer permissions,” Grafana Labs confirms.

Grafana Labs has issued patched versions that fully mitigate this vulnerability. Users are advised to upgrade to the respective security patch levels:

As a temporary workaround, administrators can:

Remove or disable DingDing contact point configurations
Revoke compromised DingDing API tokens
Restrict Viewer permissions until patches are deployed

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply