CVE-2024-6322 MEDIUM

CVE-2024-6322

Vendor Grafana
Product Grafana
Weakness CWE-266
Published August 20, 2024
Last update November 23, 2025

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

What the vulnerability does

01Description

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

Key dates

02Disclosure timeline

August 20, 2024 CVE published
November 23, 2025 Record updated