CVE-2025-3260: Grafana vulnerable to authenticated users bypassing dashboard, folder permissions
(updated )
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).
Impact:
Viewers can view all dashboards/folders regardless of permissions
Editors can view/edit/delete all dashboards/folders regardless of permissions
Editors can create dashboards in any folder regardless of permissions
Anonymous users with viewer/editor roles are similarly affected
Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
References
- github.com/advisories/GHSA-3px7-c4j3-576r
- github.com/grafana/grafana
- github.com/grafana/grafana/blob/be8d153dc33734caba4f617ff571d18253e68fa0/CHANGELOG.md
- grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454
- grafana.com/security/security-advisories/CVE-2025-3260
- nvd.nist.gov/vuln/detail/CVE-2025-3260
Code Behaviors & Features
Detect and mitigate CVE-2025-3260 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →