CVE-2024-8118 Overview
CVE-2024-8118 is a broken access control vulnerability in Grafana. The alert rule write API endpoint enforces the wrong permission check. Users granted permission to write external alert instances can also write alert rules, exceeding their intended authorization boundary.
The flaw is classified under [CWE-653: Improper Isolation or Compartmentalization]. Exploitation requires an authenticated user with elevated privileges to write external alert instances, but the consequence is unintended access to alert rule modification.
Critical Impact
Authenticated users with external alert instance write permissions can modify Grafana alert rules, bypassing the principle of least privilege and potentially disrupting monitoring and incident response workflows.
Affected Products
- Grafana (alert rule write API endpoint)
- Refer to the Grafana Security Advisory CVE-2024-8118 for affected version ranges
- Self-hosted and Grafana Cloud deployments using fine-grained role-based access control
Discovery Timeline
- 2024-09-26 - CVE-2024-8118 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-8118
Vulnerability Analysis
Grafana uses fine-grained role-based access control (RBAC) to gate API endpoints. Each endpoint declares the permission required to invoke it. The alert rule write API endpoint declares the permission associated with external alert instances rather than the permission for writing alert rules.
As a result, a user authorized only to write external alert instances passes the authorization check on the alert rule write endpoint. The user can then create, modify, or delete alert rules. This is an authorization scope violation rather than an authentication flaw.
The attack requires network access to the Grafana API and valid credentials with the external alert instance write permission. No user interaction is needed. The confidentiality, integrity, and availability impacts are limited because the action is constrained to alerting subsystem objects.
Root Cause
The root cause is a permission mapping error in the endpoint handler registration. The endpoint references the wrong permission constant when registering its authorization middleware. This is consistent with the [CWE-653] classification, which addresses insufficient isolation between security domains in a single application.
Attack Vector
An authenticated attacker with the external alert instance write role sends a write request to the alert rule API endpoint. The Grafana authorization layer evaluates the misconfigured permission and accepts the request. The attacker can then alter alert rule definitions, silence alerts, or introduce malicious rule expressions that suppress detections during a follow-on attack.
No verified public exploit code is available for CVE-2024-8118. The vulnerability mechanism is described in prose because no validated proof-of-concept exists. See the Grafana Security Advisory CVE-2024-8118 for vendor-confirmed technical detail.
Detection Methods for CVE-2024-8118
Indicators of Compromise
- Unexpected PUT, POST, or DELETE requests against /api/v1/provisioning/alert-rules or /api/ruler/grafana/api/v1/rules/... originating from users that hold only external alert instance write permission.
- Audit log entries showing alert rule create or update events attributed to accounts not assigned the alert rule writer role.
- Sudden modification or deletion of production alert rules without a corresponding change-management ticket.
Detection Strategies
- Compare Grafana audit logs against the documented RBAC role assignments and flag any alert rule write event performed by an identity lacking the alert rule writer role.
- Baseline normal alert rule change frequency per user and alert on statistical deviations.
- Enable Grafana access logging at the API layer and forward to a SIEM for correlation with identity events.
Monitoring Recommendations
- Forward Grafana audit logs and reverse-proxy access logs to a centralized log analytics platform with retention sufficient for incident review.
- Monitor for changes to alert rule definitions, especially expressions that broaden thresholds or disable evaluations.
- Track authentication events for service accounts holding external alert instance permissions and alert on unusual API call patterns.
How to Mitigate CVE-2024-8118
Immediate Actions Required
- Upgrade Grafana to the fixed version listed in the Grafana Security Advisory CVE-2024-8118.
- Review all users and service accounts assigned the external alert instance write permission and remove the grant where it is not required.
- Audit recent alert rule changes for unauthorized modifications and restore known-good rule definitions from version control or backups.
Patch Information
Grafana Labs has released patched Grafana versions that correct the permission mapping on the alert rule write API endpoint. The fix enforces the alert rule writer permission rather than the external alert instance writer permission. Consult the Grafana Security Advisory CVE-2024-8118 for the exact patched versions covering the OSS and Enterprise distributions.
Workarounds
- Revoke the external alert instance write permission from any account that does not strictly require it until the patch is applied.
- Place Grafana behind a reverse proxy that restricts write methods on /api/v1/provisioning/alert-rules and /api/ruler/... to allow-listed administrative identities.
- Store alert rule definitions in Git and reconcile drift continuously so unauthorized changes are detected and reverted automatically.
# Example: list Grafana users and their roles to identify accounts holding the
# external alert instance write permission that should be reviewed.
curl -s -u admin:$GRAFANA_ADMIN_PASSWORD \
https://grafana.example.com/api/access-control/users/permissions/search \
| jq '.[] | select(.permissions[]?.action == "alert.instances.external:write")'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
