Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN107
_____________________________________________________________________

DATE                : 02/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Grafana versions prior to
                        12.3.1+security-01, 12.2.3+security-01,
                        12.1.5+security-01, 12.0.8+security-01,
                             11.6.9+security-01.

=====================================================================
https://grafana.com/security/security-advisories/cve-2026-21720/
https://grafana.com/security/security-advisories/cve-2026-21721/
_____________________________________________________________________

Unauthenticated DoS in avatar cache in Grafana

High
Advisory ID:	CVE-2026-21720
Published:	2026-01-27
Product:	Grafana
CVSS Score:	7.5
CVSS Vector:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


Fixed Versions:	
>=12.3.0 <12.3.1+security-01
>=12.2.0 <12.2.3+security-01
>=12.1.0 <12.1.5+security-01
>=12.0.0 <12.0.8+security-01
>=3.0.0 <11.6.9+security-01


Summary

Grafana is an open-source platform for monitoring and observability.
The platform supports users having their own avatars, which can be
sourced from the Gravatar service API. This uses a cache, to ensure
that we don’t overload the service.

If these requests time out after 3 seconds, a Goroutine is left
running forever. This can cause a denial of service (DoS) if an
attacker repeats these requests.

This bug was reported by sam18191 via our bug bounty program.

_____________________________________________________________________

Cross-dashboard privilege escalation via permission management

High
Advisory ID:	CVE-2026-21721
Published:	2026-01-27
Product:	Grafana
CVSS Score:	8.1
CVSS Vector:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Fixed Versions:	
>=12.3.0 <12.3.1+security-01
>=12.2.0 <12.2.3+security-01
>=12.1.0 <12.1.5+security-01
>=12.0.0 <12.0.8+security-01
>=10.2.0 <11.6.9+security-01


Summary

Grafana is an open-source platform for monitoring and observability.
The platform supports creating dashboards, which collate various
visualisation panels onto one plane. These can have per-user
permissions.

If a user has permission management rights on one dashboard, they
could edit the permissions of any other dashboard.

This bug was reported by se1en via our bug bounty program.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================