CVE-2025-12141— Grafana 安全漏洞

Grafana Alerting Editors can edit destination of webhooks they did not create

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.

N/A

信息暴露

Grafana 安全漏洞

Grafana是Grafana开源的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana存在安全漏洞，该漏洞源于具有编辑权限的用户可以修改其他用户创建的联络点并利用测试功能，可能导致捕获和提取安全设置，造成未经授权的访问。

N/A

N/A