The Grafana Ghost XSS Flaw Exposes Servers to Account Takeover
Even Open Source, Free, and Managed versions can have vulnerabilities.
A newly discovered cross-site scripting (XSS) vulnerability in Grafana — a widely used open-source analytics and visualization platform for developers — has put thousands of servers at risk of complete account takeover.
What is Cross-Site Scripting
Cross-site scripting (XSS) is a cyberattack in which a hacker enters malicious code into a web form or web application url. This malicious code, written in a scripting language like JavaScript or PHP, can do anything from vandalizing the website you’re trying to load to stealing your passwords or other login credentials.
A highly simplified example of this would be as follows:
https://www.mysite.com/something?DoBadStuff()
Here a piece of script called DoBadStuff, which probably has some truly nasty functionality, will be run as part of loading this URL in to the browser.
The Details of the Exploit
The vulnerability is a chain of exploits, beginning with a malicious link sent to the victim Grafina server. It is important to note that Grafana servers not directly connected to the internet are at risk, due to the potential for blind attacks that exploit the same weakness.
Researchers have warned that a compromised Grafana admin account could have serious consequences, including full access to internal metrics and dashboards, control over user accounts, and potential disruption of operations.
This security flaw was first discovered in May 2025 by Alvaro Balada in a bug bounty program and was disclosed by Grafana as a one-day vulnerability.
Now, it is a few months later, and it is being reported that many public-facing Grafana instances are still unpatched and are being left vulnerable. Even more are likely affected behind firewalls or in segmented networks.
According to a Grafana advisory, the vulnerability was fixed in v10.4.18+security-01, v11.2.9+security-01, v11.3.6+security-01, v11.4.4+security-01, v11.5.4+security-01, v11.6.1+security-01, and v12.0.0+security-01 versions.
Summary
If your team is running Grafana, it is highly recommended to update it to the latest release. This critical vulnerability is yet another example of why it is so important to update all software at regular intervals.