CVE-2025-12141

Name of the Vulnerable Software and Affected Versions Grafana (affected versions not specified)

Description In the alerting system, users with specific edit permissions for a contact point, such as alert.notifications:write or alert.notifications.receivers:test (granted via the Contact Point Writer role within the Editor role), can modify contact points created by other users. An attacker can change the endpoint URL to a server they control and use the test functionality to capture and extract redacted secure settings, including authentication credentials for third-party services like Slack tokens. This can result in unauthorized access to external integrations.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.