CVE-2026-27877: Grafana public dashboards disclose all direct mode datasources

March 27, 2026 (updated May 13, 2026)

When using public dashboards and direct data-sources, all direct data-sources’ passwords are exposed despite not being used in dashboards.

No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments’ security.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-27877 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 1.9.2-0.20221116104934-4ee83a5f2bf4 before 1.9.2-0.20260325055210-3522153e07b4, all versions starting from 9.3.0 before 11.6.14, all versions starting from 12.0.0 before 12.1.10, all versions starting from 12.2.0 before 12.2.8, all versions starting from 12.3.0 before 12.3.6, all versions starting from 12.4.0 before 12.4.2