CVE-2025-12141

MEDIUM

6.5

Descripcion

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.

Detalles CVE

Puntuacion CVSS v3.16.5

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosLOW

Interaccion usuarioNONE

Publicado4/15/2026

Ultima modificacion4/20/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

grafana:grafana

Debilidades (CWE)

CWE-200

Referencias

https://grafana.com/security/security-advisories/cve-2025-12141/(security@grafana.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.