VDB
CVE-2026-21721
CVE-2026-21721
PUBLISHED
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
EPSS 0.02% · 5.2th percentile
Risk Scores
EPSS Score
0.02%
5.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | grafana | 10.2.0, 12.1.0, 12.2.0 |
| Bitnami | grafana | 10.2.0, 12.0.0, 12.1.0 |
Timeline
- Jan 27, 2026 EPSS Score
- Jan 27, 2026 CVE Published
- Jan 27, 2026 PoC Published
- Jan 27, 2026 PoC Published
- Jan 30, 2026 EPSS Score
- Feb 1, 2026 EPSS Score
- Feb 4, 2026 EPSS Score
- Feb 6, 2026 EPSS Score
- Feb 9, 2026 EPSS Score
- Feb 11, 2026 EPSS Score
- Feb 14, 2026 EPSS Score
- Feb 16, 2026 EPSS Score