CVE-2026-27877 (CVSS 6.5) is an information disclosure vulnerability in Grafana that exposes data-source passwords via public dashboards. The vulnerability affects Grafana versions prior to 9.3.0, versions 11.6.14 through 11.9.x, 12.1.10 through 12.1.x, 12.2.8 through 12.2.x, and 12.3.6 through 12.3.x. The flaw is fixed in Grafana versions 9.3.0, 12.0.0, 12.2.0, 12.3.0, and 12.4.0.
Red Hat Product Errata RHSA-2026:10223 - Security Advisory Issued: 2026-04-23 Updated: 2026-04-23 RHSA-2026:10223 - Security Advisory Overview Updated Packages Synopsis Important: grafana security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for grafana is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es): grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Fixes BZ - 2452293 - CVE-2026-27877 grafana: Grafana: Information disclosure of data-source passwords via public dashboards CVEs CVE-2026-27877 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM grafana-10.2.6-24.el10_1.src.rpm SHA-256: e63fe9ab0edb1a7a8e99873a80c6ba053cecee2eeb1cf6d190a120111cb7133f x86_64 grafana-10.2.6-24.el10_1.x86_64.rpm SHA-256: 7643d4d89bf987d3da8a2fdf6c389e3ae373bdaa0328abdff1c494c470b1dcfc grafana-debuginfo-10.2.6-24.el10_1.x86_64.rpm SHA-256: 5ff0d2e47341f7edfc6d5cf2a58d6ce465a47ce93b4e79331d5daec3914ec8a2 grafana-debugsource-10.2.6-24.el10_1.x86_64.rpm SHA-256: 3ef19c4e02f91522300bca107e6245d5ddc8a0990a8cc02d418c86049834479c grafana-selinux-10.2.6-24.el10_1.x86_64.rpm SHA-256: 462dcd16c7c072e8ff191ad6a66f1709a25654616202fd17cb2d6a0402237e47 Red Hat Enterprise Linux for IBM z Systems 10 SRPM grafana-10.2.6-24.el10_1.src.rpm SHA-256: e63fe9ab0edb1a7a8e99873a80c6ba053cecee2eeb1cf6d190a120111cb7133f s390x grafana-10.2.6-24.el10_1.s390x.rpm SHA-256: ed639510a682409cb3202855cf0e1600b8d07e641140fe34ecd29437d96dc761 grafana-debuginfo-10.2.6-24.el10_1.s390x.rpm SHA-256: 0e50bf5eb0933ebb15e1b92adfe93eefeea999145d0ab422eb1ea5bf611a350e grafana-debugsource-10.2.6-24.el10_1.s390x.rpm SHA-256: c368feb42db74c8daccb035af1ba8055c232bec1e1c20060af3a6558aff1f77b grafana-selinux-10.2.6-24.el10_1.s390x.rpm SHA-256: 0701f71677211c586c4c35c510e1f4b45177a07f50ffc3682f82356a3505d7f0 Red Hat Enterprise Linux for Power, little endian 10 SRPM grafana-10.2.6-24.el10_1.src.rpm SHA-256: e63fe9ab0edb1a7a8e99873a80c6ba053cecee2eeb1cf6d190a120111cb7133f ppc64le grafana-10.2.6-24.el10_1.ppc64le.rpm SHA-256: 32ab8e61771ba6800fbfea90b0e9a64c3590d7981dc2bf7e3b1ff93eaa497375 grafana-debuginfo-10.2.6-24.el10_1.ppc64le.rpm SHA-256: 10062af5dfb7678f9f490405e307514df872d2b62e603b55262c1741752a45dc grafana-debugsource-10.2.6-24.el10_1.ppc64le.rpm SHA-256: 8b09ec2d34707ffdc819d73d1cb2579f04141153ee83082a90374bccf16e31e2 grafana-selinux-10.2.6-24.el10_1.ppc64le.rpm SHA-256: d5531fcc91dff140decdb3f008dcc9daca909c328e8f52155a6b643a7aa44f0c Red Hat Enterprise Linux for ARM 64 10 SRPM grafana-10.2.6-24.el10_1.src.rpm SHA-256: e63fe9ab0edb1a7a8e99873a80c6ba053cecee2eeb1cf6d190a120111cb7133f aarch64 grafana-10.2.6-24.el10_1.aarch64.rpm SHA-256: e2376ffd97106873cead640140f781a2324633018be213fc8c66d118000729b0 grafana-debuginfo-10.2.6-24.el10_1.aarch64.rpm SHA-256: 2c05501d4e887d07d8b0fe242cde02de869540dee278298a12be1ef173325503 grafana-debugsource-10.2.6-24.el10_1.aarch64.rpm SHA-256: 67e9bbb0afca673ed70b378b962f035a158b836af910c54bb34c76b51d4d2711 grafana-selinux-10.2.6-24.el10_1.aarch64.rpm SHA-256: 0de6da8617b63009b7cdb6ff1086acd8309f80079c097b30b685862463240fec The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .