BIT-grafana-2025-3454

BIT-grafana-2025-3454 PUBLISHED CVSS 5 MEDIUM

This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.

Risk Scores

CVSS v3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Affected Products

Vendor	Product	Versions
Bitnami	grafana	10.4.0, 11.2.0, 11.6.0

Timeline

Jun 4, 2025 CVE Published
Jun 9, 2025 CVE Updated

References

https://grafana.com/security/security-advisories/cve-2025-3454/ url
https://nvd.nist.gov/vuln/detail/CVE-2025-3454 url

Open in Interactive Console →