CVE-2022-24812 Overview
CVE-2022-24812 is a privilege escalation vulnerability in Grafana Enterprise affecting the fine-grained access control (FGAC) feature. When this beta feature is enabled and multiple API Keys with different roles exist within an organization, a flaw in the cache ID construction allows subsequent API requests to inherit cached permissions from previous requests. This means a request made with a Viewer-privileged API Key could receive the cached Admin permissions from a preceding request, effectively bypassing authorization controls.
Critical Impact
Attackers with low-privilege API Keys can escalate to administrative privileges by exploiting the 30-second permission cache window, potentially gaining full control over Grafana dashboards, data sources, and organizational settings.
Affected Products
- Grafana Enterprise v8.1.0-beta1 and later versions
- Grafana Enterprise installations with fine-grained access control enabled
- Organizations using multiple API Keys with different role assignments
Discovery Timeline
- April 12, 2022 - CVE-2022-24812 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-24812
Vulnerability Analysis
This privilege escalation vulnerability stems from an improper access control implementation (CWE-269) in Grafana Enterprise's fine-grained access control system. The vulnerability is network-accessible and requires only low privileges to exploit, with no user interaction needed.
When Grafana Enterprise processes API requests with fine-grained access control enabled, it caches the evaluated permissions for 30 seconds to improve performance. However, the cache key generation mechanism fails to properly differentiate between distinct API Keys within the same organization. As a result, all API Keys in an organization share the same cache entry, causing permission inheritance across different privilege levels.
The attack scenario is straightforward: if an administrator makes an API request, those Admin permissions are cached. Any subsequent request within the 30-second window—even from a completely different API Key with Viewer-only permissions—will receive the cached Admin privileges instead of the correct Viewer permissions.
Root Cause
The root cause lies in the flawed cache ID construction logic within Grafana Enterprise's permission evaluation system. The cache identifier does not include sufficient entropy to uniquely identify each API Key. Instead, it appears to use only organization-level identifiers, causing all API Keys within the same organization to map to an identical cache entry. This design flaw violates the principle of least privilege by allowing permission state to leak between distinct authentication contexts.
Attack Vector
The attack can be executed over the network by any user possessing a valid Grafana API Key, regardless of its assigned role. The attacker must have network access to the Grafana Enterprise instance and knowledge of the 30-second caching window.
The exploitation process involves timing API requests to coincide with higher-privileged requests from legitimate administrators. An attacker with a low-privilege API Key could monitor patterns or simply make repeated requests, waiting to inherit elevated permissions when an administrator happens to use the API. Once the cached Admin permissions are inherited, the attacker can perform administrative actions such as modifying dashboards, accessing sensitive data sources, or altering organizational configurations—all while authenticated with a Viewer-level API Key.
Detection Methods for CVE-2022-24812
Indicators of Compromise
- API requests from Viewer or Editor API Keys performing administrative operations
- Unusual permission escalation patterns in Grafana audit logs
- Multiple API Keys from the same organization making rapid sequential requests
- Administrative actions logged without corresponding administrator authentication events
Detection Strategies
- Enable and monitor Grafana Enterprise audit logging for permission anomalies
- Implement API request monitoring to detect privilege mismatches between API Key roles and actual operations performed
- Configure alerting for administrative operations performed outside of expected administrator activity windows
- Cross-reference API Key usage logs with assigned role permissions to identify discrepancies
Monitoring Recommendations
- Monitor Grafana server logs for unexpected privilege elevation events
- Track API Key usage patterns and flag anomalous activity within the 30-second cache windows
- Implement network-level monitoring for Grafana API endpoints to detect potential exploitation attempts
- Review organizational API Key inventories and remove unnecessary keys with elevated privileges
How to Mitigate CVE-2022-24812
Immediate Actions Required
- Upgrade Grafana Enterprise to version 8.4.6 or later immediately
- Disable fine-grained access control if upgrading is not immediately possible
- Audit existing API Keys and reduce the number of keys with elevated privileges
- Review Grafana access logs for signs of potential exploitation
Patch Information
Grafana has released version 8.4.6 to address this vulnerability. Organizations should upgrade to this version or later as soon as possible. Detailed patch information is available in the Grafana Security Advisory and Grafana Release Notes 8.4.6.
Workarounds
- Disable fine-grained access control (FGAC) beta feature until patching is complete
- Limit API Key creation to a single key per organization where possible
- Ensure all API Keys within an organization have consistent privilege levels
- Implement network segmentation to restrict API access to trusted networks only
# Configuration example - Disable fine-grained access control in grafana.ini
[feature_toggles]
# Disable FGAC to mitigate CVE-2022-24812 until patching is complete
enable = accesscontrol=false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
