vulnerability
FreeBSD: VID-6adfda5a-2118-11f0-8ca6-6c3be5272acd (CVE-2025-3260): Grafana -- Bypass Viewer and Editor permissions
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:P) | Apr 24, 2025 | Dec 10, 2025 | Dec 10, 2025 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:P)
Published
Apr 24, 2025
Added
Dec 10, 2025
Modified
Dec 10, 2025
Description
Grafana Labs reports: During the development of a new feature in Grafana 11.6.x, a security vulnerability was introduced that allows for Viewers and Editors to bypass dashboard-specific permissions. As a result, users with the Viewer role could view all the dashboards within their org and users with the Editor role could view, edit, and delete all the dashboards in their org. Note: Organization isolation boundaries still apply, which means viewers and editors in one organization cannot view or edit dashboards in another org. Also this vulnerability does not allow users to query data via data sources they don’t have access to. The CVSS score for this vulnerability is 8.3 HIGH.
Solution
freebsd-upgrade-package-grafana
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.