CVE-2022-39328 CRITICAL

CVE-2022-39328: Grafana vulnerable to race condition allowing privilege escalation

Vendor Grafana
Product grafana
Weakness CWE-362
Published November 8, 2022
Last update January 28, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.

Key dates

02Disclosure timeline

November 8, 2022 CVE published
January 28, 2026 Record updated