CVE-2021-39226

What is Grafana?

Grafana is the world's most widely deployed open-source observability and data visualization platform. Organizations use Grafana to display metrics, logs, and traces from datasources like Prometheus, InfluxDB, Elasticsearch, and cloud providers in dashboards and alerts. Grafana's snapshot feature allows users to share dashboard views publicly — sharing a point-in-time snapshot of metric data including potentially sensitive infrastructure information without requiring Grafana authentication. Organizations widely use Grafana internally but also expose it to external users via the snapshot sharing feature.

Overview

CVE-2021-39226 is a snapshot authentication bypass vulnerability (CWE-287) in Grafana. Both authenticated users and unauthenticated attackers can exploit this vulnerability to view any snapshot by guessing or discovering its UID, and authenticated users can delete any snapshot regardless of who created it. Grafana patched this with an emergency release on October 5, 2021 (versions 7.5.11 and 8.1.6). CISA added this to KEV in August 2022, reflecting confirmed exploitation against unpatched Grafana instances.

Affected Versions

Technical Details

Grafana's snapshot functionality allows users to create publicly shareable URL versions of dashboards. Each snapshot has a UID that appears in its URL. The vulnerability allows:

• Unauthenticated view: An attacker who guesses or discovers a snapshot UID can view the snapshot data without authenticating to Grafana — even for snapshots intended to be private
• Unauthenticated delete: Grafana also exposes a delete endpoint for snapshots that lacks proper authentication enforcement, allowing deletion of snapshots without credentials
• Data exposure: Snapshots contain rendered metric data from all configured datasources at the time of creation — potentially including sensitive business metrics, infrastructure performance data, and security-relevant signals

Discovery

Identified by the Grafana Labs security team and patched in an emergency release. The 10-month gap between the patch (October 2021) and CISA KEV addition (August 2022) suggests exploitation against internet-accessible Grafana instances was confirmed over time.

Exploitation Context

Grafana is frequently exposed to the internet — either deliberately (for external dashboards) or accidentally (misconfigured deployments). Exposed Grafana instances with unpatched CVE-2021-39226 allow any internet user to view snapshot data containing potentially sensitive infrastructure metrics. The delete functionality could be used to disrupt monitoring capability by destroying snapshots.

Remediation

1. Upgrade Grafana to version 7.5.11, 8.1.6, or any later release
2. If operating Grafana Cloud, Grafana Labs patched cloud instances automatically
3. Disable the snapshot sharing feature if not required: set [snapshots] external_enabled = false in grafana.ini
4. Restrict Grafana access to internal networks or VPN-connected users — Grafana should not be internet-accessible unless specifically required
5. Review existing snapshots for sensitive data and delete any that are no longer needed
6. Audit Grafana access logs for unauthorized snapshot access attempts