CVE-2026-22641

Name of the Vulnerable Software and Affected Versions Grafana (affected versions not specified)

Description A flaw exists in Grafana’s datasource proxy API that permits bypassing authorization checks. This is achieved by including an additional slash character within the URL path. Users with limited permissions may obtain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily impacts datasources utilizing route-specific permissions, such as Alertmanager and specific Prometheus-based datasources. The vulnerable component is the datasource proxy API. The affected API endpoints are GET endpoints in Alertmanager and Prometheus datasources.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.