CVE-2026-21727
LowCVSS 3.3Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. A user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization.
Risk Assessment
This vulnerability may lead to unauthorized access to data between organizations, posing a risk to data confidentiality and integrity.
Recommendation
It is recommended to update Grafana to version >=11.6.11, >=12.0.9, >=12.1.6, or >=12.2.4 to mitigate this vulnerability.
Original NVD description (English source)
--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.

