Missing Protected-field Authorization in Provisioning Contact Points API_CVE-2026-21724

5.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Basic Information

ID CVE-2026-21724

Source GRAFANA

Published Mar 26, 2026 at 20:06

Modified Apr 9, 2026 at 13:49

Affected Product

Vendor Grafana

Product Grafana OSS

Version 12.3.1

Affected Versions Grafana Grafana OSS 12.3.1
Grafana Grafana OSS 12.2.2
Grafana Grafana OSS 12.1.5
Grafana Grafana OSS 11.6.9

CWE Classification

CWE-285

References

grafana.com /security/security-advisories/cve-2026-21724

{
    "lastseen": "",
    "description": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.",
    "published": "2026-03-26T20:06:18.829Z",
    "modified": "2026-04-09T13:49:30.847Z",
    "type": "cve",
    "title": "Missing Protected-field Authorization in Provisioning Contact Points API",
    "source": "GRAFANA",
    "references": "https://grafana.com/security/security-advisories/cve-2026-21724",
    "id": "CVE-2026-21724",
    "bulletinFamily": "",
    "cwe": [
        "CWE-285"
    ],
    "cvelist": null,
    "sourceData": "Grafana Grafana OSS 12.3.1\nGrafana Grafana OSS 12.2.2\nGrafana Grafana OSS 12.1.5\nGrafana Grafana OSS 11.6.9",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Grafana OSS",
    "version": "12.3.1",
    "vendor": "Grafana",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}