Improper Preservation of Permissions in github.com/grafana/grafana/pkg/api/pluginproxy | CVE-2025-3260

Q: How to fix?

Upgrade github.com/grafana/grafana/pkg/api/pluginproxy to version 11.6.0+security-01 or higher.

Introduced: 25 Apr 2025

NewCVE-2025-3260 (opens in a new tab) CWE-281 (opens in a new tab)

How to fix?

Upgrade github.com/grafana/grafana/pkg/api/pluginproxy to version 11.6.0+security-01 or higher.

Overview

github.com/grafana/grafana/pkg/api/pluginproxy is an open-source platform for monitoring and observability.

Affected versions of this package are vulnerable to Improper Preservation of Permissions in the proxy routing behavior, which allows certain users to bypass dashboard-specific permissions. A user with the Viewer role can view all dashboards in their org, and a user with the Editor role can view, edit, or delete all dashboards in their org.

This vulnerability is exploitable by authenticated users as well as anonymously authenticated users if anonymous authentication is enabled.

Workaround

This vulnerability can be avoided by enabling network policies that block all inbound traffic to the following endpoints:

/apis/dashboard.grafana.app/v0alpha1
/apis/dashboard.grafana.app/v1alpha1
/apis/dashboard.grafana.app/v2alpha1

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Improper Preservation of Permissions Affecting github.com/grafana/grafana/pkg/api/pluginproxy package, versions >=11.6.0 <11.6.0+security-01

Severity

Do your applications use this vulnerable package?