Security researchers have disclosed two high-severity vulnerabilities in Grafana, the open-source observability platform widely used for monitoring and visualization.
Tracked as CVE-2026-27876 and CVE-2026-27880, these flaws could allow unauthenticated attackers to bypass authentication and gain unauthorized access to sensitive dashboard data and configurations. Both carry a CVSS v4.0 base score of 9.1 (Critical), stemming from flaws in Grafana’s authentication middleware and session handling.
CVE-2026-27876, dubbed “Auth Bypass via Token Replay,” affects Grafana versions 10.0.0 through 11.2.1. It arises from improper validation of API tokens during the OAuth2 and anonymous access flows. Grafana’s `/api/auth/keys` endpoint, responsible for generating and validating service account tokens, fails to enforce token expiration checks on replayed requests.
An attacker who intercepts a valid token via network sniffing on misconfigured proxies or MITM attacks can replay it indefinitely against the `/api/dashboards/uid/` endpoint. Technically, this exploits a race condition in the `grafana-server` middleware stack.
When a token is issued, it’s stored in Redis (or the default SQLite backend) with a TTL. Still, the validation logic in `pkg/services/authn/token.go` only checks signature integrity via JWT HS256, skipping nonce or timestamp verification.
Proof-of-concept (PoC) code, released by the discovering team at ShadowPeak Labs, demonstrates extraction of a token from browser dev tools, followed by a curl request:“`curl -H “Authorization: Bearer <replayed_token>” https://grafana.example.com/api/dashboards/uid/example-dashboard“`This yields full JSON payloads of dashboard metadata.
Including panel queries that pull from Prometheus or Loki data sources, potentially exposing metrics like CPU usage, API keys embedded in query variables, or even custom annotations containing PII.The second flaw, CVE-2026-27880 (“Session Fixation in Anonymous Mode”), impacts versions 9.5.0 to 11.2.1.
It targets Grafana’s anonymous authentication mode, enabled by default in open instances for public dashboards. Attackers can hijack a victim’s session cookie by crafting malicious links that set the `grafana_sess` cookie to a controlled value.
Once the victim accesses a legitimate dashboard, the fixed session grants the attacker read access to all anonymous-viewable resources. Under the hood, this stems from weak cookie prefix handling in `pkg/web/session.go`.
Grafana prefixes session IDs with `grafana_session:`, but the parser accepts arbitrary prefixes without regeneration on first access.
Exploitation involves a single GET request:“`https://grafana.example.com/d/example-dashboard?orgId=1&__session=<attacker_controlled_id>“`. Combined with social engineering (e.g., phishing links mimicking Grafana alerts), attackers can pivot to enumerate datasources via `/api/datasources` or export dashboards as JSON.
In clustered setups with multiple organizations, cross-tenant leakage is possible if anonymous access spans orgs. These vulnerabilities affect over 1.2 million exposed Grafana instances, per Shodan scans as of March 2026.
Enterprises using Grafana Cloud or the self-hosted Enterprise edition are equally vulnerable, as the flaws reside in the core server code. No evidence of active exploitation exists yet, but the low complexity (no privileges required) and remote vector make zero-days inevitable.
Detection relies on audit logs: Watch for anomalous `/api/auth/keys` 200s from unknown IPs or repeated token uses. Tools like Grafana’s built-in audit logging (enabled via `audit.enabled = true` in grafana.ini) or Falco rulesets can flag session fixation via cookie anomalies.
According to Grafana, Mitigation is straightforward: Upgrade to Grafana 11.2.2 or later, which adds nonce checks to token replay and enforces regeneration on anonymous mode entry.
As an interim fix, restrict anonymous access (`anonymous.enabled = false`), enforce HTTPS with HSTS, and rotate all API tokens. For air-gapped setups, apply patches manually via Docker image `grafana/grafana:11.2.2`.
Grafana Labs urges immediate patchin, and providesh full advisories at [grafana.com/security](https://grafana.com/security). Independent verification by CISA confirms the issues and adds them to KEV. Organizations should audit exposed instances and review the source query security to limit the last radius.
About the Author
