CVE-2026-21722

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-21722
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21722.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-21722
Aliases
Downstream
Related
Published
2026-02-12T09:16:08.763Z
Modified
2026-04-10T13:29:32.188012015Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.

This did not leak any annotations that would not otherwise be visible on the public dashboard.

References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Introduced
e9cb2a313ecc5a8e3cfeca7d2b7df2878802096e
Fixed
b0865c0373937d9758e189c7047de975899f9de0
Introduced
4c0e7045f97f356716755b47183b22e7f12bb4bf
Fixed
00d95b43e16d3df830282983ed177453b17e0910
Introduced
92f1fba9b4b6700328e99e97328d6639df8ddc3d
Last affected
5b73bf4c34ee8f0ffef915410416bc395e72b2d3
Introduced
20051fb1fc604fc54aae76356da1c14612af41d0
Last affected
df2547decd50d14defa20ec9ce1c2e2bc9462d72
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b0865c0373937d9758e189c7047de975899f9de0
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
00d95b43e16d3df830282983ed177453b17e0910
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
5b73bf4c34ee8f0ffef915410416bc395e72b2d3
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
df2547decd50d14defa20ec9ce1c2e2bc9462d72
Database specific 
{
    "versions": [
        {
            "introduced": "9.3.0"
        },
        {
            "fixed": "11.6.10"
        },
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.1.6"
        },
        {
            "introduced": "12.2.0"
        },
        {
            "last_affected": "12.2.4"
        },
        {
            "introduced": "12.3.0"
        },
        {
            "last_affected": "12.3.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "11.6.10-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "12.1.6-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "12.2.4-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "12.3.2-NA"
        }
    ]
}

Affected versions

pkg/promlib/v0.*
pkg/promlib/v0.0.1
pkg/promlib/v0.0.2
pkg/promlib/v0.0.3
pkg/promlib/v0.0.4
pkg/promlib/v0.0.5
pkg/promlib/v0.0.6
pkg/promlib/v0.0.7
pkg/promlib/v0.0.8
pkg/util/xorm/v0.*
pkg/util/xorm/v0.0.1
v0.*
v0.0.0-cloud
v0.0.1-test
v1.*
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.7.0-rc1
v1.9.0
v1.9.0-rc1
v1.9.1
v10.*
v10.0.0-preview
v11.*
v11.6.0
v11.6.10
v11.6.2
v11.6.4
v11.6.5
v11.6.6
v11.6.7
v11.6.8
v11.6.9
v12.*
v12.1.0
v12.1.1
v12.1.2
v12.1.3
v12.1.4
v12.1.5
v12.1.6
v12.2.1
v12.2.2
v12.2.3
v12.2.4
v12.3.1
v12.3.2
v2.*
v2.0.0-beta1
v2.0.0-beta3
v2.0.1
v2.0.2
v2.5.0
v2.6.0
v2.6.0-beta1
v3.*
v3.0.0-beta6
v3.0.0-beta7
v3.0.1
v3.0.2
v3.1.0-beta1
v3.2.1-test
v4.*
v4.4.0
v4.5.0
v4.5.0-beta1
v4.6.0-beta1
v5.*
v5.,2.4
v5.0.0
v5.0.0-beta1
v5.0.0-beta2
v5.0.0-beta3
v5.0.0-beta4
v5.0.0-beta5
v6.*
v6.0.0-beta1
v6.5
v8.*
v8.3.3
v8.4.0-beta1
v8.5.16
v9.*
v9.3.0-beta1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21722.json"