Login Sign Up

CVE-2022-32276

7.5 HIGH
Authentication Bypass

📋 TL;DR

CVE-2022-32276 allows unauthenticated access to Grafana dashboard snapshots via specific URLs, bypassing authentication requirements. This affects Grafana instances with snapshot sharing enabled. The vendor considers this a UI bug rather than a security vulnerability.

💻 Affected Systems

Products:
  • Grafana
Versions: 8.4.3 specifically (vendor states this is a UI bug, not a vulnerability)
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances with dashboard snapshot functionality enabled and accessible

📦 What is this software?

Grafana by Grafana

View all CVEs affecting Grafana →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers could access sensitive dashboard snapshots containing confidential monitoring data, configuration details, or business intelligence information.

🟠

Likely Case

Exposure of dashboard snapshots that may contain internal metrics, system status information, or operational data to unauthorized users.

🟢

If Mitigated

Limited exposure of non-sensitive dashboard snapshots with proper access controls and monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple URL manipulation required; vendor disputes this is a security vulnerability

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://github.com/grafana/grafana/issues/50336

Restart Required: No

Instructions:

Vendor considers this a UI bug, not a security vulnerability. No official patch exists. Consider upgrading to latest version and implementing workarounds.

🔧 Temporary Workarounds

Disable Snapshot Sharing

all

Disable the snapshot sharing feature in Grafana configuration

Set [snapshots]\nexternal_enabled = false in grafana.ini

Network Access Controls

linux

Restrict access to Grafana snapshot endpoints using firewall rules or reverse proxy configurations

iptables -A INPUT -p tcp --dport 3000 -m string --string "/dashboard/snapshot/" --algo bm -j DROP

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to Grafana instances
  • Enable authentication requirements for all dashboard access and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[grafana-host]/dashboard/snapshot/*?orgId=0 without authentication

Check Version:

grafana-server -v

Verify Fix Applied:

Verify snapshot sharing is disabled in configuration and test access attempts fail

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated requests to /dashboard/snapshot/* endpoints
  • Access from unexpected IP addresses to snapshot URLs

Network Indicators:

  • HTTP GET requests to snapshot endpoints without authentication headers
  • Traffic patterns showing snapshot access from external networks

SIEM Query:

source="grafana.log" AND (url="/dashboard/snapshot/*" OR url="/api/snapshots/*") AND NOT (user!="anonymous" OR auth_success="true")

📊 Metadata

CVE ID: CVE-2022-32276
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-287
Published: June 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32276, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)