CVE-2025-12141 LOW

CVE-2025-12141: Grafana Alerting Editors can edit destination of webhooks they did not create

Vendor Grafana
Product Grafana Alerting
Weakness CWE-200 · Info exposure
Published April 15, 2026
Last update April 15, 2026

CVSS base score

1.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/S:N/AU:Y

What the vulnerability does

01Description

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.

Key dates

02Disclosure timeline

April 15, 2026 CVE published
April 15, 2026 Record updated