CVE-2021-43798

What is Grafana?

Grafana is the world's most popular open-source observability and monitoring dashboard platform, used by organizations of all sizes to visualize metrics, logs, and traces from infrastructure, applications, and databases. Grafana instances typically have access to sensitive monitoring data including database credentials (configured as data sources), API keys, cloud provider credentials, and complete infrastructure monitoring state. Because Grafana is widely deployed with internet-accessible interfaces (for remote monitoring access), and because the server's filesystem may contain sensitive configuration files, path traversal vulnerabilities in Grafana carry significant data exposure risk.

Overview

CVE-2021-43798 is an unauthenticated path traversal vulnerability (CWE-22) in Grafana 8.x affecting the plugin static file serving handler. Grafana's HTTP handler for plugin assets (/public/plugins/<plugin-id>/) serves static files for installed plugins. The path normalization fails to adequately sanitize traversal sequences (../), allowing an unauthenticated attacker to traverse outside the plugin directory and read arbitrary files from the Grafana server's filesystem. Grafana Labs released emergency patches across multiple Grafana 8.x branches on December 7, 2021 — the same day the vulnerability was disclosed. Proof-of-concept exploits circulated on social media within hours, triggering mass scanning.

Affected Versions

Technical Details

The Grafana web server serves static assets (JavaScript, CSS, images) for installed plugins via a dedicated URL path. The handler fails to properly normalize URL path traversal sequences:

• Root cause: Path traversal (CWE-22) — the plugin file serving handler at /public/plugins/<plugin-id>/ does not sanitize ../ sequences before constructing the file path, allowing traversal outside the plugin asset directory
• No authentication required — plugin static assets are public by design; the handler is accessible without authentication
• File read capability: An attacker can read any file readable by the Grafana process on the server filesystem — typically: Grafana's own grafana.ini (containing database passwords and secret key), data source configuration files (containing database credentials), /etc/passwd, system configuration files, private key files
• Exploitation pattern: A URL like /public/plugins/alertlist/../../../../etc/passwd returns the contents of /etc/passwd
• Information use: Credentials extracted from Grafana configuration files can be used to access monitored databases, cloud services, and internal APIs directly

Discovery

Reported by Jorgan Holland and others. Grafana Labs took an aggressive immediate-patch approach, releasing fixes across four active Grafana 8.x branches simultaneously on the same day as public disclosure.

Exploitation Context

Grafana is widely deployed in enterprise environments and exposed to the internet for remote monitoring dashboards. The trivially simple nature of the exploit (basic path traversal, no authentication, PoC within hours of disclosure) and Grafana's broad deployment led to mass scanning within 24 hours. CISA added this to KEV in October 2025 — nearly four years after disclosure — reflecting continued exploitation against organizations running unpatched Grafana 8.x instances.

Remediation

1. Upgrade Grafana to 8.3.1, 8.2.7, 8.1.8, or 8.0.7 — or any later version
2. Rotate all credentials exposed in Grafana configuration files: database passwords, data source API keys, SMTP passwords, and the Grafana secret key
3. Review Grafana access logs for requests to /public/plugins/ containing ../ sequences that may indicate prior exploitation
4. Restrict external access to the Grafana web interface — Grafana should not be directly internet-accessible without authentication
5. Consider Grafana Cloud (hosted) as an alternative to self-hosted Grafana — Grafana Labs patches their cloud service immediately