{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21722", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-01-05T09:26:06.214Z", "datePublished": "2026-02-12T08:49:05.678Z", "dateUpdated": "2026-02-12T14:24:22.715Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-02-12T13:00:21.310Z"}, "datePublic": "2026-02-12T07:13:06.000Z", "title": "Public Dashboards time range restriction on annotations can be bypassed", "descriptions": [{"lang": "en", "value": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard."}], "affected": [{"vendor": "Grafana", "product": "grafana/grafana", "defaultStatus": "unaffected", "versions": [{"status": "affected", "versionType": "semver", "version": "9.3.0", "lessThan": "11.6.10+security-01"}, {"status": "affected", "versionType": "semver", "version": "12.0.0", "lessThan": "12.1.6+security-01"}, {"status": "affected", "versionType": "semver", "version": "12.2.0", "lessThan": "12.2.4+security-01"}, {"status": "affected", "versionType": "semver", "version": "12.3.0", "lessThan": "12.3.2+security-01"}]}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "defaultStatus": "unaffected", "versions": [{"status": "affected", "versionType": "semver", "version": "9.3.0", "lessThan": "11.6.10+security-01"}, {"status": "affected", "versionType": "semver", "version": "12.0.0", "lessThan": "12.1.6+security-01"}, {"status": "affected", "versionType": "semver", "version": "12.2.0", "lessThan": "12.2.4+security-01"}, {"status": "affected", "versionType": "semver", "version": "12.3.0", "lessThan": "12.3.2+security-01"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21722", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T14:24:06.337064Z", "id": "CVE-2026-21722", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T14:24:22.715Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21722", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T14:24:06.337064Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T14:24:11.898Z"}}], "cna": {"title": "Public Dashboards time range restriction on annotations can be bypassed", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "Grafana", "product": "grafana/grafana", "versions": [{"status": "affected", "version": "9.3.0", "lessThan": "11.6.10+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.0.0", "lessThan": "12.1.6+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.4+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.3.0", "lessThan": "12.3.2+security-01", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "grafana/grafana-enterprise", "versions": [{"status": "affected", "version": "9.3.0", "lessThan": "11.6.10+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.0.0", "lessThan": "12.1.6+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.4+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.3.0", "lessThan": "12.3.2+security-01", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-12T07:13:06.000Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21722", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-02-12T13:00:21.310Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21722", "state": "PUBLISHED", "dateUpdated": "2026-02-12T14:24:22.715Z", "dateReserved": "2026-01-05T09:26:06.214Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-02-12T08:49:05.678Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard."}], "id": "CVE-2026-21722", "lastModified": "2026-02-12T15:10:37.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-02-12T09:16:08.763", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/CVE-2026-21722"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "grafana: Public Dashboards time range restriction on annotations can be bypassed", "id": "2439292", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439292"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["A flaw was found in Grafana. Public dashboards with annotations enabled fail to limit their annotation time range to the locked time range of the public dashboard. This flaw allows an attacker to retrieve the entire history of annotations visible on that dashboard, including those outside the locked time range."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21722", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-12T08:49:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21722\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21722\nhttps://grafana.com/security/security-advisories/CVE-2026-21722"], "statement": "This issue only exposes annotations that would otherwise be visible on the public dashboard if the time range were different, it does not leak annotations from private dashboards or data that is restricted by other permission models. Due to this reason, this vulnerability has been rated with a moderate severity.", "threat_severity": "Moderate"}