CVE-2025-41116
📋 TL;DR
This vulnerability in the Grafana Databricks Datasource Plugin allows unauthorized data access when OAuth passthrough is enabled and multiple users share the same datasource. It affects Grafana instances where the plugin is configured with OAuth passthrough functionality. Users of affected plugin versions could see data they shouldn't have access to.
💻 Affected Systems
- Grafana Databricks Datasource Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive business data from Databricks is exposed to unauthorized users, potentially including financial records, customer PII, or proprietary analytics.
Likely Case
Users see dashboard data from other users' Databricks queries, leading to data leakage and potential compliance violations.
If Mitigated
With proper access controls and monitoring, impact is limited to minor data visibility issues between authorized users.
🎯 Exploit Status
Exploitation requires authenticated access to Grafana and specific plugin configuration. The vulnerability occurs naturally during normal usage under specific conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.0
Vendor Advisory: https://grafana.com/security/security-advisories/cve-2025-41116/
Restart Required: Yes
Instructions:
1. Update Grafana Databricks Datasource Plugin to version 1.12.0 or later. 2. Restart Grafana service. 3. Verify plugin version in Grafana UI.
🔧 Temporary Workarounds
Disable OAuth Passthrough
allDisable OAuth passthrough feature in Databricks datasource configuration
Edit datasource configuration in Grafana UI and disable OAuth passthrough
Use Separate Datasources
allConfigure separate datasource instances for different user groups
Create multiple Databricks datasource configurations in Grafana
🧯 If You Can't Patch
- Disable OAuth passthrough on all Databricks datasources
- Implement strict access controls and monitor for unusual data access patterns
🔍 How to Verify
Check if Vulnerable:
Check Grafana plugin version in Administration > Plugins, verify if version is between 1.6.0 and 1.11.x, and check if any Databricks datasources have OAuth passthrough enabled.Check Version:
Check Grafana UI: Administration > Plugins > Databricks Datasource, or check plugin directory for version file.Verify Fix Applied:
Confirm plugin version is 1.12.0 or higher in Grafana UI and verify OAuth passthrough functionality works correctly without data leakage.📡 Detection & Monitoring
Log Indicators:
- Multiple user sessions accessing same Databricks datasource with OAuth tokens
- Unusual data access patterns in Grafana audit logs
Network Indicators:
- Multiple OAuth token exchanges for single datasource endpoint
SIEM Query:
source="grafana" AND ("databricks" OR "oauth") AND ("unauthorized" OR "access denied")