CVE-2026-21727

Name
CVE-2026-21727
Description
--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security@grafana.com https://grafana.com/security/security-advisories/cve-2026-21727

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* grafana >= None < 11.6.11
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* grafana >= 12.0.0 < 12.0.9
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* grafana >= 12.1.0 < 12.1.6
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* grafana >= 12.2.0 < 12.2.4
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* grafana >= 12.3.0 < 12.3.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
grafana edge-community 12.2.1-r4 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.2.1-r3 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.2.1-r2 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.2.1-r1 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.2.1-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.1.1-r2 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.1.1-r1 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.1.1-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.0.2-r2 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.0.2-r1 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.0.2-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.0.1-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 12.0.0-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.6.1-r0 None possibly vulnerable
grafana edge-community 11.6.0-r2 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.6.0-r1 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.6.0-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.5.2-r1 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.5.2-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.5.1-r1 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.5.1-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.5.0-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.4.0-r1 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.4.0-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.3.2-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.3.1-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 11.1.4-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 9.1.2-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 9.0.3-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 8.5.3-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 8.3.6-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 8.3.4-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 8.3.2-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 8.3.1-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 8.2.4-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana edge-community 7.4.5-r0 None possibly vulnerable
grafana edge-community 7.0.2-r0 None possibly vulnerable
grafana edge-community 6.3.4-r0 None possibly vulnerable
grafana 3.23-community 12.2.1-r5 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana 3.23-community 12.2.1-r4 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana 3.23-community 12.2.1-r3 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana 3.23-community 12.2.1-r2 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana 3.23-community 12.2.1-r1 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable