During the development of a new feature in Grafana 11.6.x,
a security vulnerability was introduced that allows for Viewers
and Editors to bypass dashboard-specific permissions. As a result,
users with the Viewer role could view all the dashboards within their
org and users with the Editor role could view, edit, and delete all
the dashboards in their org.
Note: Organization isolation boundaries still apply, which
means viewers and editors in one organization cannot view or edit
dashboards in another org. Also this vulnerability does not allow
users to query data via data sources they don’t have access to.
The CVSS score for this vulnerability is
8.3 HIGH.