{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-21725","assignerOrgId":"57da9224-a3e2-4646-9d0e-c4dc2e05e7da","state":"PUBLISHED","assignerShortName":"GRAFANA","dateReserved":"2026-01-05T09:26:06.214Z","datePublished":"2026-02-25T12:35:43.104Z","dateUpdated":"2026-05-13T19:28:24.214Z"},"containers":{"cna":{"providerMetadata":{"orgId":"57da9224-a3e2-4646-9d0e-c4dc2e05e7da","shortName":"GRAFANA","dateUpdated":"2026-05-13T19:28:24.214Z"},"datePublic":"2026-02-25T08:21:23.844Z","title":"Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name","descriptions":[{"lang":"en","value":"A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.\n\nThis requires several very stringent conditions to be met:\n\n- The attacker must have admin access to the specific datasource prior to its first deletion.\n- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.\n- The attacker must delete the datasource, then someone must recreate it.\n- The new datasource must not have the attacker as an admin.\n- The new datasource must have the same UID as the prior datasource. These are randomised by default.\n- The datasource can now be re-deleted by the attacker.\n- Once 30 seconds are up, the attack is spent and cannot be repeated.\n- No datasource with any other UID can be attacked."}],"affected":[{"vendor":"Grafana","product":"Grafana","platforms":["OnPrem"],"defaultStatus":"unaffected","versions":[{"version":"v11.0.0","status":"affected","versionType":"semver","lessThan":"v12.4.1"}]}],"references":[{"url":"https://grafana.com/security/security-advisories/cve-2026-21725","tags":["vendor-advisory"]}],"metrics":[{"cvssV3_1":{"version":"3.1","baseScore":2.6,"baseSeverity":"LOW","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L"}}],"source":{"discovery":"BUG_BOUNTY"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-367","lang":"en","description":"CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-25T15:13:32.666615Z","id":"CVE-2026-21725","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-10T13:25:12.332Z"}}]}}