Homepage

Improperly Controlled Modification of Dynamically-Determined Object Attributes The advisory has been revoked - it doesn't affect any version of package grafana-elasticsearch  (opens in a new tab)

Threat Intelligence

EPSS
0.6% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CENTOS8-GRAFANAELASTICSEARCH-16075234
  • published15 Apr 2026
  • disclosed10 Apr 2026
Report a new vulnerability Found a mistake?

Introduced: 10 Apr 2026

CVE-2026-40175  (opens in a new tab)
CWE-915  (opens in a new tab)

Amendment

The Centos security team deemed this advisory irrelevant for Centos:8.

NVD Description

Note: Versions mentioned in the description apply only to the upstream grafana-elasticsearch package and not the grafana-elasticsearch package as distributed by Centos.

Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.