OverviewWhy AttestdQuickstartResponse FieldsAPI ReferenceSDK Reference↳ Python↳ JavaScriptAccount & PortalAI Agent IntegrationCI/CD IntegrationIntegrations↳ MCP Server↳ LangChain↳ LangChain (JS)↳ AutoGenProductsSupply chainFAQ
products / grafana

Grafana

Grafana is the dominant open-source observability platform for metrics, logs, and traces. A compromised instance exposes read access to the full infrastructure telemetry stack. NVD tracks it as grafana:grafana with semver-style version ranges.

api usage

Querying Grafana

product sluggrafana
version format10.0.0, 9.5.0, 8.3.0
bash
curl "https://api.attestd.io/v1/check?product=grafana&version=10.0.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

Grafana 10.0.0 is affected by CVE-2023-3128 (Azure AD OAuth authentication bypass when Azure AD groups are used for role mapping). The aggregated response expects risk_state: "critical".

json
{
  "product": "grafana",
  "version": "10.0.0",
  "supported": true,
  "risk_state": "critical",
  "risk_factors": [
    "authentication_bypass",
    "internet_exposed_service",
    "patch_available"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "10.0.1",
  "confidence": 0.91,
  "cve_ids": ["CVE-2023-3128"],
  "last_updated": "2026-05-27T00:00:00Z"
}
safe version

Grafana 11.3.0 is used as a patched-line example; confirm with live /v1/check after ingestion.

bash
curl "https://api.attestd.io/v1/check?product=grafana&version=11.3.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"
notable cves

CVE history

Grafana CVE history spans unauthenticated path traversal via plugin URLs, CSRF-based privilege escalation, OAuth authentication bypass, SSRF in data source plugins, and stored XSS in dashboard rendering.

CVEDescriptionAffectsCVSS
CVE-2023-3128Authentication bypass via Azure AD OAuth when Azure AD groups are used for Grafana role mapping, enabling account takeover.10.0.09.4
CVE-2022-21703Cross-site request forgery in Grafana OAuth flow leading to privilege escalation to admin.8.3.0 to 8.3.48.8
CVE-2021-43798Path traversal via plugin URL handling allowing unauthenticated arbitrary local file read.8.0.0 to 8.3.07.5
CVE-2024-9476Privilege escalation via organization role assignment in Grafana user management APIs.see NVD7.5
CVE-2024-8118Stored cross-site scripting in Grafana annotation and dashboard features.see NVD6.1
related
All productsZabbixKibanaResponse Field Reference