CVE-2026-21724: Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions

March 26, 2026 (updated April 23, 2026)

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

A patched version is available at https://github.com/grafana/grafana/releases/tag/v12.3.6.

References

github.com/advisories/GHSA-7g92-g4vh-hp84
github.com/grafana/grafana
github.com/grafana/grafana/commit/daffe750de85b0dbf79f206a35835cf66a83d6ca
github.com/grafana/grafana/releases/tag/v12.3.6
grafana.com/security/security-advisories/cve-2026-21724
nvd.nist.gov/vuln/detail/CVE-2026-21724

Code Behaviors & Features

Detect and mitigate CVE-2026-21724 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →