Vulnerability DatabaseCVE-2026-21727
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-21727
Published:April 15, 2026
Updated:May 16, 2026
*** title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" *** A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
Affected Packages
https://github.com/grafana/grafana.git (GITHUB):
Affected version(s) >=v12.1.0 <v12.1.6
Fix Suggestion:
Update to version v12.1.6
https://github.com/grafana/grafana.git (GITHUB):
Affected version(s) >=v0.0.1-test <v11.6.11
Fix Suggestion:
Update to version v11.6.11
https://github.com/grafana/grafana.git (GITHUB):
Affected version(s) >=v12.3.0 <v12.3.3
Fix Suggestion:
Update to version v12.3.3
https://github.com/grafana/grafana.git (GITHUB):
Affected version(s) >=v12.2.0 <v12.2.4
Fix Suggestion:
Update to version v12.2.4
https://github.com/grafana/grafana.git (GITHUB):
Affected version(s) >=v12.0.0 <v12.0.9
Fix Suggestion:
Update to version v12.0.9
Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (1)
https://grafana.com/security/security-advisories/cve-2026-21727
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Incorrect Permission Assignment for Critical Resource
CWE-732
EPSS
Base Score:
0.02