Skip to main content

Insufficiently Protected Credentials


Severity High
Score 7.5/10


Grafana is an open-source observability and data visualization platform. Versions of Grafana for endpoints prior to 8.5.14, and 9.0.0 prior to 9.1.8 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.

  • LOW
  • NONE
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-522 - Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Advisory Timeline

  • Published