Ddos 
Grafana Labs has issued security updates for multiple product versions, addressing one high and two medium-severity vulnerabilities affecting Grafana OSS and Enterprise editions. The most serious—CVE-2025-3260, rated CVSS 8.3 (HIGH)—could allow unauthorized access and modification of dashboards, even by users with minimal permissions.
CVE-2025-3260: Dashboard Permission Bypass
Introduced in Grafana 11.6.x, this vulnerability affects the /apis/dashboard.grafana.app/* endpoints and allows users with Viewer or Editor roles to override dashboard-level permissions within their organization:
- Viewers can access all dashboards, regardless of assigned access.
- Editors can view, edit, and delete any dashboard in the same organization.
- The flaw also affects anonymous users when configured with Viewer or Editor roles.
Anonymous users will be able to view or modify all dashboards depending on their configured role. While organization boundaries remain intact, the advisory warns that instances using anonymous authentication are particularly vulnerable.
CVE-2025-2703: DOM XSS in XY Chart Plugin
A medium-severity DOM-based Cross-Site Scripting (XSS) vulnerability was found in Grafana’s built-in XY chart plugin, reported by an external researcher. With a CVSS score of 6.8, it enables: Execution of arbitrary JavaScript when an Editor or user with general.writer RBAC permissions injects malicious code into XY charts.
Grafana Labs notes that existing Content Security Policies (CSPs) do not prevent this vulnerability, but recommends enabling Trusted Types to mitigate DOM-based XSS vectors.
The third flaw, CVE-2025-3454, is another medium-severity vulnerability (CVSS 5.0) discovered in Grafana’s data source proxy API. It allows:
- Unauthorized read access to Prometheus and Alertmanager data sources by appending an extra forward slash (/) in the API path.
- The issue affects Grafana 8.0+ and specifically read-only paths in data sources using basic auth and route-specific permissions.
“Grafana users could gain unauthorized read access to GET endpoints… despite their assigned roles and permissions,” the team warns.
Affected Versions and Patches
The vulnerabilities affect the following versions:
- CVE-2025-3260: ≥ Grafana 11.6.0
- CVE-2025-2703: ≥ Grafana 11.1.0
- CVE-2025-3454: ≥ Grafana 8.0
Patches are available in these releases:
- Grafana 11.6.0+security-01
- Grafana 11.5.3+security-01
- Grafana 11.4.3+security-01
- Grafana 11.3.5+security-01
- Grafana 11.2.8+security-01
- Grafana 10.4.17+security-01
Mitigation
If immediate patching is not feasible, Grafana recommends the following interim mitigations:
- For CVE-2025-3260: Block inbound traffic to:
- /apis/dashboard.grafana.app/v0alpha1
- /apis/dashboard.grafana.app/v1alpha1
- /apis/dashboard.grafana.app/v2alpha1
- For CVE-2025-2703: Enable Trusted Types to enforce stricter DOM manipulation policies.
- For CVE-2025-3454: Use a reverse proxy to normalize and sanitize incoming URLs.
Grafana Labs urges all users and organizations to update as soon as possible: “If you are currently running Grafana OSS or Grafana Enterprise, please update to one of the above security releases to address all the vulnerabilities.”
Donate