CVE-2025-12141: Grafana Information Disclosure Vulnerability

CVE-2025-12141 Overview

CVE-2025-12141 is an Information Disclosure vulnerability in Grafana's alerting system that allows users with contact point edit permissions to extract sensitive authentication credentials. Users with alert.notifications:write or alert.notifications.receivers:test permissions—granted as part of the fixed role "Contact Point Writer" included in the basic Editor role—can modify contact points created by other users. By changing the endpoint URL to an attacker-controlled server and invoking the test functionality, attackers can capture and extract redacted secure settings, including authentication credentials for third-party services such as Slack tokens.

Critical Impact
Unauthorized extraction of authentication credentials for third-party service integrations, potentially leading to compromise of external systems and services connected to Grafana.

Affected Products

Grafana (versions with alerting system contact point functionality)

Discovery Timeline

2026-04-15 - CVE CVE-2025-12141 published to NVD
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-12141

Vulnerability Analysis

This vulnerability stems from improper access control within Grafana's contact point management system. The core issue lies in the combination of overly permissive role assignments and the test functionality that transmits secure settings to user-specified endpoints.

When a user with Editor role accesses Grafana, they inherit the "Contact Point Writer" fixed role, which grants permissions to modify contact points. The vulnerability allows these users to edit contact points they did not create, including those configured by administrators with sensitive third-party service credentials.

The test functionality in Grafana's alerting system sends notification payloads to the configured endpoint URL to verify connectivity. When an attacker modifies the endpoint URL to point to a server they control and triggers this test, Grafana transmits the complete notification payload—including authentication credentials that are normally redacted in the user interface.

Root Cause

The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability exists because:

Insufficient authorization checks: The system fails to properly restrict contact point modifications to only the original creator or administrators
Credential exposure in test payloads: The test notification functionality includes secure settings in its transmission rather than using placeholder values
Role privilege creep: The Editor role inherits contact point write permissions that enable cross-user modifications

Attack Vector

The attack is network-based and requires authentication with at least Editor-level privileges. An attacker exploits this vulnerability through the following mechanism:

The attacker authenticates to Grafana with a user account having Editor role or equivalent permissions
They enumerate existing contact points configured by other users, particularly those with third-party integrations like Slack, PagerDuty, or email services
The attacker modifies a target contact point's endpoint URL to point to their controlled server
By invoking the "Test" functionality on the modified contact point, Grafana sends a test notification to the attacker's server
The attacker's server captures the request, which contains authentication tokens and credentials that were previously hidden/redacted in the UI

This attack requires no user interaction and can be executed by any authenticated user with the appropriate permissions.

Detection Methods for CVE-2025-12141

Indicators of Compromise

Unexpected modifications to contact point configurations, particularly endpoint URL changes
Contact point test requests directed to external or unfamiliar domain names
Multiple contact point modifications by users who did not originally create them
Unusual patterns of contact point test invocations

Detection Strategies

Monitor Grafana audit logs for contact point modification events, filtering for changes to endpoint URLs
Implement alerting on contact point test functionality usage, especially when targeting non-organizational domains
Review user activity logs for Editor-role users making changes to contact points they did not create
Deploy network monitoring to detect outbound connections from Grafana to unexpected external endpoints

Monitoring Recommendations

Enable comprehensive audit logging in Grafana for all alerting configuration changes
Configure SIEM rules to correlate contact point modifications with subsequent test invocations
Implement allowlisting for permitted notification endpoint domains where possible
Regularly review contact point configurations for unauthorized modifications

How to Mitigate CVE-2025-12141

Immediate Actions Required

Review and restrict contact point edit permissions to only authorized administrators
Audit all existing contact points for unauthorized endpoint URL modifications
Rotate credentials for any third-party integrations configured in Grafana contact points
Review user accounts with Editor role and evaluate necessity of contact point write permissions

Patch Information

Refer to the Grafana Security Advisory CVE-2025-12141 for official patch information and updated versions. Organizations should upgrade to the patched version as soon as it becomes available from Grafana Labs.

Workarounds

Remove alert.notifications:write and alert.notifications.receivers:test permissions from the Editor role until patches are applied
Create a custom role without contact point modification privileges for standard users
Implement network-level controls to restrict Grafana's outbound connections to approved notification endpoints only
Use Grafana's team-based access controls to isolate contact points between different user groups

bash

# Example: Review Grafana role permissions via API
# Check current role assignments for Editor role
curl -H "Authorization: Bearer $GRAFANA_API_KEY" \
  https://your-grafana-instance/api/access-control/roles

# List all contact points to audit for unauthorized changes
curl -H "Authorization: Bearer $GRAFANA_API_KEY" \
  https://your-grafana-instance/api/v1/provisioning/contact-points

CVE-2025-12141 Overview

Critical Impact
Unauthorized extraction of authentication credentials for third-party service integrations, potentially leading to compromise of external systems and services connected to Grafana.

Affected Products

Grafana (versions with alerting system contact point functionality)

Discovery Timeline

2026-04-15 - CVE CVE-2025-12141 published to NVD
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-12141

Vulnerability Analysis

Root Cause

The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability exists because:

Insufficient authorization checks: The system fails to properly restrict contact point modifications to only the original creator or administrators
Credential exposure in test payloads: The test notification functionality includes secure settings in its transmission rather than using placeholder values
Role privilege creep: The Editor role inherits contact point write permissions that enable cross-user modifications

Attack Vector

The attack is network-based and requires authentication with at least Editor-level privileges. An attacker exploits this vulnerability through the following mechanism:

The attacker authenticates to Grafana with a user account having Editor role or equivalent permissions
They enumerate existing contact points configured by other users, particularly those with third-party integrations like Slack, PagerDuty, or email services
The attacker modifies a target contact point's endpoint URL to point to their controlled server
By invoking the "Test" functionality on the modified contact point, Grafana sends a test notification to the attacker's server
The attacker's server captures the request, which contains authentication tokens and credentials that were previously hidden/redacted in the UI

This attack requires no user interaction and can be executed by any authenticated user with the appropriate permissions.

Detection Methods for CVE-2025-12141

Indicators of Compromise

Unexpected modifications to contact point configurations, particularly endpoint URL changes
Contact point test requests directed to external or unfamiliar domain names
Multiple contact point modifications by users who did not originally create them
Unusual patterns of contact point test invocations

Detection Strategies

Monitor Grafana audit logs for contact point modification events, filtering for changes to endpoint URLs
Implement alerting on contact point test functionality usage, especially when targeting non-organizational domains
Review user activity logs for Editor-role users making changes to contact points they did not create
Deploy network monitoring to detect outbound connections from Grafana to unexpected external endpoints

Monitoring Recommendations

Enable comprehensive audit logging in Grafana for all alerting configuration changes
Configure SIEM rules to correlate contact point modifications with subsequent test invocations
Implement allowlisting for permitted notification endpoint domains where possible
Regularly review contact point configurations for unauthorized modifications

How to Mitigate CVE-2025-12141

Immediate Actions Required

Review and restrict contact point edit permissions to only authorized administrators
Audit all existing contact points for unauthorized endpoint URL modifications
Rotate credentials for any third-party integrations configured in Grafana contact points
Review user accounts with Editor role and evaluate necessity of contact point write permissions

Patch Information

Workarounds

Remove alert.notifications:write and alert.notifications.receivers:test permissions from the Editor role until patches are applied
Create a custom role without contact point modification privileges for standard users
Implement network-level controls to restrict Grafana's outbound connections to approved notification endpoints only
Use Grafana's team-based access controls to isolate contact points between different user groups

bash

# Example: Review Grafana role permissions via API
# Check current role assignments for Editor role
curl -H "Authorization: Bearer $GRAFANA_API_KEY" \
  https://your-grafana-instance/api/access-control/roles

# List all contact points to audit for unauthorized changes
curl -H "Authorization: Bearer $GRAFANA_API_KEY" \
  https://your-grafana-instance/api/v1/provisioning/contact-points

CVE-2025-12141: Grafana Information Disclosure Vulnerability

CVE-2025-12141 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-12141

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-12141

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-12141

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-12141: Grafana Information Disclosure Vulnerability

CVE-2025-12141 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-12141

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-12141

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-12141

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform