Description

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.

INFO

Published Date :

2026-04-15T18:57:25.185Z

Last Modified :

2026-04-15T19:57:25.515Z

Source :

GRAFANA
AFFECTED PRODUCTS

The following products are affected by CVE-2026-21727 vulnerability.

Vendors Products
Grafana
  • Grafana Correlations
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-21727.

URL Resource
https://grafana.com/security/security-advisories/cve-2026-21727 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-21727 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-21727 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact