CVE-2022-39306 MEDIUM

CVE-2022-39306: Grafana contains Improper Input Validation

Vendor Grafana

Product grafana

Weakness CWE-20 · Input validation

Published November 9, 2022

Last update January 28, 2026

View on NVD All CVEs

CVSS base score

6.4/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.

Key dates

02Disclosure timeline

November 9, 2022 CVE published

January 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-39306

Related vulnerabilities

Identifiers

CVE CVE-2022-39306

CWE CWE-20

CVSS 6.4 / MEDIUM

Affected versions

Vendor Grafana

Product grafana

Affected < 8.5.15

Vendor Grafana

Product grafana

Affected >= 9.v9.0.0-beta1, < 9.2.4

CVE-2022-39306: Grafana contains Improper Input Validation

01Description

02Disclosure timeline

03References

04Related CVE