{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21727", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-01-05T09:26:06.215Z", "datePublished": "2026-04-15T18:57:25.185Z", "dateUpdated": "2026-04-15T19:57:25.515Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-04-15T19:25:08.126Z"}, "datePublic": "2026-04-15T18:52:20.510Z", "title": "Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record", "descriptions": [{"lang": "en", "value": "---\ntitle: Cross-Tenant Legacy Correlation Disclosure and Deletion\ndraft: false\nhero:\n image: /static/img/heros/hero-legal2.svg\n content: \"# Cross-Tenant Legacy Correlation Disclosure and Deletion\"\ndate: 2026-01-29\nproduct: Grafana\nseverity: Low\ncve: CVE-2026-21727\ncvss_score: \"3.3\"\ncvss_vector: \"CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\"\nfixed_versions:\n - \">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4\"\n---\nA cross-tenant isolation vulnerability was found in Grafana\u2019s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4.\n\nThanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability."}], "affected": [{"vendor": "Grafana", "product": "Grafana Correlations", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "10.2.0", "status": "affected", "versionType": "semver", "lessThan": "12.4.0"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21727", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T19:56:51.668906Z", "id": "CVE-2026-21727", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T19:57:25.515Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21727", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T19:56:51.668906Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T19:56:56.495Z"}}], "cna": {"title": "Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "Grafana", "product": "Grafana Correlations", "versions": [{"status": "affected", "version": "10.2.0", "lessThan": "12.4.0", "versionType": "semver"}], "platforms": ["OnPrem"], "defaultStatus": "unaffected"}], "datePublic": "2026-04-15T18:52:20.510Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21727", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "---\ntitle: Cross-Tenant Legacy Correlation Disclosure and Deletion\ndraft: false\nhero:\n image: /static/img/heros/hero-legal2.svg\n content: \"# Cross-Tenant Legacy Correlation Disclosure and Deletion\"\ndate: 2026-01-29\nproduct: Grafana\nseverity: Low\ncve: CVE-2026-21727\ncvss_score: \"3.3\"\ncvss_vector: \"CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\"\nfixed_versions:\n - \">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4\"\n---\nA cross-tenant isolation vulnerability was found in Grafana\u2019s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4.\n\nThanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-04-15T19:25:08.126Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21727", "state": "PUBLISHED", "dateUpdated": "2026-04-15T19:57:25.515Z", "dateReserved": "2026-01-05T09:26:06.215Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-04-15T18:57:25.185Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "---\ntitle: Cross-Tenant Legacy Correlation Disclosure and Deletion\ndraft: false\nhero:\n image: /static/img/heros/hero-legal2.svg\n content: \"# Cross-Tenant Legacy Correlation Disclosure and Deletion\"\ndate: 2026-01-29\nproduct: Grafana\nseverity: Low\ncve: CVE-2026-21727\ncvss_score: \"3.3\"\ncvss_vector: \"CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\"\nfixed_versions:\n - \">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4\"\n---\nA cross-tenant isolation vulnerability was found in Grafana\u2019s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4.\n\nThanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability."}], "id": "CVE-2026-21727", "lastModified": "2026-04-15T20:16:34.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 2.5, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-04-15T20:16:34.290", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2026-21727"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T22:10:23.459137+00:00", "value": {"mitigation_remediation": ["Apply the Grafana Correlations patch available for version 11.6.11, 12.0.9, 12.1.6, or 12.2.4 and later.", "Restrict datasource\u2011management privileges to trusted users and enforce the principle of least privilege.", "Review and delete legacy correlation records that were created before Grafana 10.2 to reduce potential exposure.", "If upgrading is not immediately possible, monitor and audit any action performed by users with datasource\u2011management rights for unauthorized data deletion."], "summary": {"action": "Update Software", "impact": "Cross\u2011Tenant Data Disclosure and Permanent Deletion"}, "threat_synthesis": {"affected_systems": "Grafana Correlations is affected. Vulnerable installations include any Grafana 10.x version or Grafana 11.x prior to 11.6.10, Grafana 12.0.x prior to 12.0.9, Grafana 12.1.x prior to 12.1.6, and Grafana 12.2.x prior to 12.2.4. Correlations created before Grafana 10.2 are also impacted.", "description_and_impact": "Cross\u2011Tenant Legacy Correlation Disclosure and Deletion is a flaw in Grafana\u2019s Correlations feature that allows a user with datasource\u2011management privileges to read and delete legacy correlation records belonging to other organizations. The issue arises from a backward\u2011compatibility setting that permits records tagged with org_id=0 to be returned across all tenants. As a result, sensitive correlation data can be exposed and permanently removed by an attacker who has sufficient privileges within Grafana. The weakness is a mis\u2011configured access control that permits unauthorized disclosure and modification of data.", "risk_and_exploitability": "The CVSS vector indicates advisability of remote exploitation with high complexity and requiring high privilege, specifically datasource\u2011management rights. The CVSS score of 3.3 classifies the vulnerability as low severity; no EPSS data is available and it is not listed in the KEV catalog, suggesting a low likelihood of real\u2011world exploitation. To exploit the flaw, an attacker would need to possess or compromise an account that has datasource\u2011management privileges within Grafana and then access the legacy correlation records, read their contents and perform delete operations that permanently erase the data."}}}}, "created": "2026-04-15T22:15:15.708143+00:00", "updated": "2026-04-15T22:15:15.708152+00:00", "vendors": [], "weaknesses": ["CWE-200", "CWE-284"]}