VDB

CVE-2026-21721

CVE-2026-21721 PUBLISHED

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

EPSS 0.02% · 5.2th percentile

Risk Scores

EPSS Score
0.02%
5.2th percentile

Affected Products

VendorProductVersions
Bitnamigrafana10.2.0, 12.1.0, 12.2.0
Bitnamigrafana10.2.0, 12.0.0, 12.1.0

Timeline

  • Jan 27, 2026 EPSS Score
  • Jan 27, 2026 CVE Published
  • Jan 27, 2026 PoC Published
  • Jan 27, 2026 PoC Published
  • Jan 30, 2026 EPSS Score
  • Feb 1, 2026 EPSS Score
  • Feb 4, 2026 EPSS Score
  • Feb 6, 2026 EPSS Score
  • Feb 9, 2026 EPSS Score
  • Feb 11, 2026 EPSS Score
  • Feb 14, 2026 EPSS Score
  • Feb 16, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›