4.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-wm7r-3qxj-5xgq

EPSS Score

CWE

CWE-284

Published

6/6/2023

Updated

2/13/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-wm7r-3qxj-5xgq

GHSA-wm7r-3qxj-5xgq: Duplicate Advisory: Grafana Improper Access Control vulnerability

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cvm3-pp2j-chr3. This link is maintained to preserve external references.

Original Description

Grafana is an open-source platform for monitoring and observability.

The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.

This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.

Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-wm7r-3qxj-5xgq

GHSA-wm7r-3qxj-5xgq:

4.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-wm7r-3qxj-5xgq

EPSS Score

CWE

CWE-284

Published

6/6/2023

Updated

2/13/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/grafana/grafana	go	< 8.5.26	8.5.26
github.com/grafana/grafana	go	>= 9.0.0, < 9.2.19	9.2.19
github.com/grafana/grafana

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from an API endpoint that handles test alert requests (/api/alertmanager/grafana/config/api/v1/receivers/test) which did not implement proper role-based access controls. While the UI hides this functionality from Viewers, the API handler itself failed to verify user permissions. The PoC demonstrates Viewer role users can successfully POST to this endpoint. The combination of missing authorization checks in the API handler (CWE-862) and improper access control (CWE-284) directly matches the vulnerability description. The file path is inferred from standard Grafana project structure where alert management API handlers are typically located.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.1

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-wm7r-3qxj-5xgq: Duplicate Advisory: Grafana Improper Access Control vulnerability

Duplicate Advisory

Original Description

GHSA-wm7r-3qxj-5xgq:

4.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

4.1

4.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-wm7r-3qxj-5xgq: Duplicate Advisory: Grafana Improper Access Control vulnerability

Duplicate Advisory

Original Description

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI