CVE-2021-39226— Snapshot authentication bypass in grafana
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-39226
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Snapshot authentication bypass in grafana
Source: NVD (National Vulnerability Database)
Vulnerability Description
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Grafana 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Grafana是Grafana实验室的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana 存在授权问题漏洞,该漏洞源于在受影响的版本中,未经身份验证和身份验证的用户都可以通过访问路径:/dashboard/snapshot/:key或/api/snapshot/:key来查看具有最低数据库键的快照。如果快照"公共模式"配置设置为true(而默认为false),未经身份验证的用户可以通过访问路径:/api/snapsho
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
II. Public POCs for CVE-2021-39226
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Grafana instances up to 7.5.11 and 8.1.5 allow remote unauthenticated users to view the snapshot associated with the lowest database key by accessing the literal paths /api/snapshot/:key or /dashboard/snapshot/:key. If the snapshot is in public mode, unauthenticated users can delete snapshots by accessing the endpoint /api/snapshots-delete/:deleteKey. Authenticated users can also delete snapshots by accessing the endpoints /api/snapshots-delete/:deleteKey, or sending a delete request to /api/snapshot/:key, regardless of whether or not the snapshot is set to public mode (disabled by default). | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39226.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-39226
请登录查看更多情报信息。
- https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9x_refsource_CONFIRM
- https://security.netapp.com/advisory/ntap-20211029-0008/x_refsource_CONFIRM
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/vendor-advisoryx_refsource_FEDORA
- https://nvd.nist.gov/vuln/detail/CVE-2021-39226
IV. Related Vulnerabilities
Same product: grafana
- CVE-2026-27879
Query resampling can cause unbounded memory allocations - CVE-2026-28375
Grafana Testdata datasource can issue unbounded memory alloc - CVE-2026-27876
RCE on Grafana via sqlExpressions - CVE-2026-27880
OpenFeature evaluation API reads input data with no bounds - CVE-2026-27877
Public dashboards discloses all direct mode datasources
Same vendor: grafana
- CVE-2026-21728
Tempo query limit results in unbounded memory allocation - CVE-2026-21726
Loki Path Traversal - CVE-2021-36156 Bypass - CVE-2025-41118
Sensitive COS `SecretKey` exposed in plaintext via configura - CVE-2026-21727
Grafana Correlations: Cross-Tenant Data Disclosure and Perma - CVE-2025-12141
Grafana Alerting Editors can edit destination of webhooks th
Same weakness: CWE-287
- CVE-2026-8244
Industrial Application Software IAS Canias ERP Login RMI imp - CVE-2026-8216
Industrial Application Software IAS Canias ERP Java RMI Sess - CVE-2026-8214
Industrial Application Software IAS Canias ERP RMI doAction - CVE-2026-42560
auth: Patreon provider assigns the same local user ID to eve - CVE-2026-41070
openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, all
V. Comments for CVE-2021-39226
No comments yet