CVE-2026-21721

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions versions prior to 2026-21721

Description The dashboard permissions API does not verify the target dashboard scope, only checking the dashboards.permissions:* action. This allows a user with permission management rights on one dashboard to read and modify permissions on other dashboards, resulting in a privilege escalation. The API endpoint in question is the dashboard permissions API. The vulnerable action is dashboards.permissions:*.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

LPE

Improper Privilege Management

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-863

Related Identifiers

ALSA-2026:2914

ALSA-2026:2920

BDU:2026-01120

BIT-GRAFANA-2026-21721

CVE-2026-21721

OPENSUSE-SU-2026:10601-1

RHSA-2026:2914

RHSA-2026:2920

RHSA-2026:3078

RHSA-2026:3529

SUSE-SU-2026:1013-1

SUSE-SU-2026:1037-1

SUSE-SU-2026:1524-1

Affected Products

Grafana

Red Os

Dashboard Permissions Api

CVE-2026-21721

Weakness Enumeration

Related Identifiers

Affected Products

References · 103