{
  "threat_severity" : "Important",
  "public_date" : "2026-03-27T14:02:11Z",
  "bugzilla" : {
    "description" : "grafana: Grafana: Information disclosure of data-source passwords via public dashboards",
    "id" : "2452293",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2452293"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-201",
  "details" : [ "When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.", "A flaw was found in Grafana. When public dashboards are used with direct data-sources, sensitive credentials, specifically passwords for all direct data-sources, are exposed. This information disclosure occurs even when these data-sources are not actively utilized in the dashboards. A remote attacker could exploit this to gain unauthorized access to other systems." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10223",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "grafana-0:10.2.6-24.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19134",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "grafana-0:10.2.6-26.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-04-28T00:00:00Z",
    "advisory" : "RHSA-2026:11417",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "grafana-0:10.2.6-23.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-24T00:00:00Z",
    "advisory" : "RHSA-2026:10226",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "grafana-0:10.2.6-20.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19352",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "grafana-0:10.2.6-22.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-04-28T00:00:00Z",
    "advisory" : "RHSA-2026:11416",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "grafana-0:10.2.6-20.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-27877\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27877\nhttps://grafana.com/security/security-advisories/cve-2026-27877" ],
  "name" : "CVE-2026-27877",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}