CVE-2026-32117: Grafana Cubism Panel XSS Vulnerability

CVE-2026-32117 Overview

A stored Cross-Site Scripting (XSS) vulnerability exists in the grafanacubism-panel plugin for Grafana. In versions 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor privileges can set the link to a javascript: URI; when any Viewer drag-zooms on the panel, the payload executes in the Grafana origin.

Critical Impact

Attackers with Editor privileges can inject malicious JavaScript payloads that execute in the context of Grafana, potentially leading to session hijacking, data exfiltration, or further privilege escalation when Viewers interact with compromised dashboards.

Affected Products

• grafanacubism-panel plugin version 0.1.2 and earlier
• Grafana instances with the grafanacubism-panel plugin installed

Discovery Timeline

• 2026-03-11 - CVE CVE-2026-32117 published to NVD
• 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-32117

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting). The grafanacubism-panel plugin implements cubism.js visualization capabilities within Grafana dashboards. The vulnerability stems from insufficient input validation in the zoom-link handler functionality.

When a dashboard Editor configures a zoom link URL for the cubism panel, the application accepts and stores this URL without validating the URI scheme. The stored URL is later passed directly to window.location.assign() or window.open() when users interact with the panel's drag-zoom feature. This architectural flaw allows the injection of javascript: URIs that execute arbitrary JavaScript code in the context of the Grafana web application origin.

The attack requires Editor privileges to configure the malicious payload but affects all Viewers who subsequently interact with the compromised dashboard panel.

Root Cause

The root cause is missing URL scheme validation before passing user-controlled input to browser navigation APIs. The zoom-link handler in CubismPanelHelper.ts directly uses editor-supplied URLs without sanitization, allowing javascript: protocol handlers to be injected and executed.

Attack Vector

An attacker with dashboard Editor privileges crafts a malicious javascript: URI as the zoom link configuration. When a Viewer performs a drag-zoom action on the affected cubism panel, the unsanitized URL is passed to window.location.assign() or window.open(), triggering execution of the attacker's JavaScript payload within the authenticated user's Grafana session. This can be leveraged to steal session tokens, perform actions as the victim user, or exfiltrate sensitive dashboard data.

The following patch demonstrates the security fix implemented to address this vulnerability:

 import * as cubism from 'cubism-ng';
 import * as d3 from 'd3';
 
-import { DataHoverEvent, EventBus, PanelData, DataFrame } from '@grafana/data';
+import { DataHoverEvent, EventBus, PanelData, DataFrame, textUtil } from '@grafana/data';
 import { getSerieByName, convertAllDataToCubism } from '../cubism_utils';
 import { log_debug } from '../misc_utils';
 import { calculateSecondOffset } from '../date_utils';

Source: GitHub Commit Update

The fix imports textUtil from @grafana/data to sanitize zoom link URLs before passing them to browser navigation APIs, preventing javascript: URI execution.

Detection Methods for CVE-2026-32117

Indicators of Compromise

• Dashboard configurations containing javascript: URIs in cubism panel zoom-link settings
• Unusual dashboard modifications by Editor accounts, particularly targeting cubism panel configurations
• Browser console errors or network requests triggered during drag-zoom interactions on cubism panels
• Unexpected session activity or API calls originating from Viewer sessions after dashboard interactions

Detection Strategies

• Audit Grafana dashboard JSON configurations for cubism panels with suspicious zoom-link values containing javascript:, data:, or other non-HTTP(S) schemes
• Monitor Grafana audit logs for dashboard edit operations modifying panel link configurations
• Implement Content Security Policy (CSP) headers to detect and report inline script execution attempts

Monitoring Recommendations

• Enable verbose logging for dashboard modification events in Grafana
• Configure web application firewall (WAF) rules to detect javascript: URI patterns in POST/PUT requests to dashboard APIs
• Implement real-time alerting for dashboard configuration changes that include suspicious URI schemes

How to Mitigate CVE-2026-32117

Immediate Actions Required

• Update the grafanacubism-panel plugin to a patched version that includes URL sanitization
• Audit existing dashboards for cubism panels with potentially malicious zoom-link configurations
• Temporarily disable the grafanacubism-panel plugin if immediate patching is not feasible
• Review Editor account access and ensure principle of least privilege

Patch Information

The vulnerability has been addressed in a security patch. The fix implements URL sanitization using Grafana's textUtil utility before passing URLs to browser navigation APIs. Organizations should update to the latest version of the grafanacubism-panel plugin. For technical details, refer to the GitHub Security Advisory and the security patch commit.

Workarounds

• Remove or disable the grafanacubism-panel plugin until patching is complete
• Restrict dashboard Editor privileges to trusted users only
• Implement strict Content Security Policy headers to mitigate XSS impact (note: this may not fully prevent all attack scenarios)
• Manually audit and remove any suspicious zoom-link configurations from existing dashboards

# Configuration example - Content Security Policy header for Grafana
# Add to Grafana's configuration or reverse proxy
# Note: This is a defense-in-depth measure, not a complete fix
grafana_csp_header="Content-Security-Policy: script-src 'self'; object-src 'none';"