PT-2026-4878 · Unknown+2 · Dashboard Permissions Api+2

Se1En

Publicado

2026-01-27

Atualizado

2026-04-22

CVE-2026-21721

CVSS v2.0

8.5

Alta

Vetor

AV:N/AC:L/Au:S/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions versions prior to 2026-21721

Description The dashboard permissions API does not verify the target dashboard scope, only checking the dashboards.permissions:* action. This allows a user with permission management rights on one dashboard to read and modify permissions on other dashboards, resulting in a privilege escalation. The API endpoint in question is the dashboard permissions API. The vulnerable action is dashboards.permissions:*.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

LPE

Improper Privilege Management

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-269CWE-863

Identificadores relacionados

ALSA-2026:2914

ALSA-2026:2920

BDU:2026-01120

BIT-GRAFANA-2026-21721

CVE-2026-21721

OPENSUSE-SU-2026:10601-1

RHSA-2026:2914

RHSA-2026:2920

RHSA-2026:3078

RHSA-2026:3529

SUSE-SU-2026:1013-1

SUSE-SU-2026:1037-1

SUSE-SU-2026:1524-1

Produtos afetados

Grafana

Red Os

Dashboard Permissions Api

PT-2026-4878 · Unknown+2 · Dashboard Permissions Api+2

CVE-2026-21721

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 103