CVE-2021-39226 – This vulnerability in Grafana allows unauthenti... (How to Fix)

Q: What is the severity of CVE-2021-39226?

CVE-2021-39226 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Grafana allows unauthenticated or authenticated users to view and delete the snapshot with the lowest database key via specific API endpoints. When public_mode is enabled, unauthenticated users can also delete snapshots, potentially leading to complete snapshot data loss. All Grafana instances below patched versions are affected.

📋 TL;DR

This vulnerability in Grafana allows unauthenticated or authenticated users to view and delete the snapshot with the lowest database key via specific API endpoints. When public_mode is enabled, unauthenticated users can also delete snapshots, potentially leading to complete snapshot data loss. All Grafana instances below patched versions are affected.

💻 Affected Systems

Products:

Grafana

Versions: All versions below 7.5.11 and 8.1.6

Operating Systems: All platforms running Grafana

Default Config Vulnerable: ✅ No

Notes: Default public_mode setting is false, limiting unauthenticated deletion but not viewing. Authenticated exploitation works regardless of public_mode.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of all snapshot data through sequential deletion, combined with unauthorized viewing of sensitive dashboard information exposed in snapshots.

🟠

Likely Case

Unauthorized deletion of critical snapshots containing monitoring dashboards, configuration data, or business intelligence visualizations.

🟢

If Mitigated

Minimal impact if snapshots are disabled or access controls prevent exploitation.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation possible when public_mode is enabled, and endpoints are accessible from internet.

🏢 Internal Only: HIGH - Authenticated users can exploit regardless of public_mode setting, posing insider threat risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP requests to documented endpoints. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.5.11 or 8.1.6

Vendor Advisory: https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9

Restart Required: Yes

Instructions:

1. Backup your Grafana configuration and data. 2. Stop Grafana service. 3. Upgrade to Grafana 7.5.11 (for 7.x branch) or 8.1.6 (for 8.x branch). 4. Restart Grafana service. 5. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Block vulnerable endpoints via reverse proxy

all

Configure reverse proxy (nginx, Apache, etc.) to block access to vulnerable API paths

# Example nginx location block
location ~ ^/(api/snapshots|dashboard/snapshot|api/snapshots-delete) {
    deny all;
    return 403;
}

🧯 If You Can't Patch

Disable snapshot functionality entirely if not required
Implement strict network access controls to limit who can reach Grafana API endpoints

🔍 How to Verify

Check if Vulnerable:

Check Grafana version via web interface (Settings → About) or command line. If version is below 7.5.11 (for 7.x) or 8.1.6 (for 8.x), system is vulnerable.

Check Version:

grafana-server -v

Verify Fix Applied:

Confirm Grafana version is 7.5.11 or higher (7.x branch) or 8.1.6 or higher (8.x branch). Test that /api/snapshots/:key endpoints return proper authentication errors.

📡 Detection & Monitoring

Log Indicators:

HTTP 200/204 responses to /api/snapshots/ or /api/snapshots-delete/ endpoints
DELETE requests to snapshot endpoints from unexpected sources
Rapid sequence of snapshot access attempts

Network Indicators:

Unusual volume of requests to snapshot API paths
DELETE methods to /api/snapshots-delete/ from unauthenticated sources when public_mode=true

SIEM Query:

source="grafana" AND (uri_path="/api/snapshots/*" OR uri_path="/api/snapshots-delete/*" OR uri_path="/dashboard/snapshot/*")

📊 Metadata

CVE ID: CVE-2021-39226

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: October 5, 2021

Last Updated: October 24, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2021/10/05/4 Mailing List,Third Party Advisory
https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269 Patch
https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9 Exploit,Mitigation,Vendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/ Release Notes
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/ Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/ Broken Link
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/ Broken Link
https://security.netapp.com/advisory/ntap-20211029-0008/ Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/05/4 Mailing List,Third Party Advisory
https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269 Patch
https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9 Exploit,Mitigation,Vendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/ Release Notes
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/ Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/ Broken Link
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/ Broken Link
https://security.netapp.com/advisory/ntap-20211029-0008/ Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39226, you might also want to check these: