CVE-2026-21725

CVE-2026-21725 is a low-severity vulnerability in Grafana with a CVSS 3.x base score of 2.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-367.

Key facts

Description

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked.

Frequently asked questions

What is CVE-2026-21725?
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked.
How severe is CVE-2026-21725?
CVE-2026-21725 has a CVSS 3.x base score of 2.6, rated low severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is none, integrity none, and availability low.
Is CVE-2026-21725 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (7th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-21725?
CVE-2026-21725 affects Grafana. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-21725?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-21725 have an EU (EUVD) identifier?
Yes. CVE-2026-21725 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-8637.
When was CVE-2026-21725 published?
CVE-2026-21725 was published on 2026-02-25 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Grafana

All CVEs affecting Grafana →

Other CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) vulnerabilities

Browse all CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) vulnerabilities →

Threat intelligence

Threat-intel indicators referencing this CVE: