CVE-2022-21673 in Grafana
Summary
by MITRE • 01/19/2022
Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/03/2025
The vulnerability identified as CVE-2022-21673 represents a critical authorization bypass flaw within the Grafana monitoring platform that has significant implications for organizations relying on this open-source solution for observability and data visualization. This issue specifically affects versions prior to 7.5.13 and 8.3.4, where Grafana's handling of authentication contexts becomes compromised when certain data source configurations are enabled. The flaw emerges from the improper management of user identity forwarding mechanisms, creating a scenario where API token holders can exploit the system to access data beyond their intended authorization scope. The vulnerability is particularly concerning because it leverages existing authentication infrastructure rather than requiring additional attack vectors, making it more accessible to threat actors who already possess API tokens.
The technical mechanism behind this vulnerability involves the Forward OAuth Identity feature within Grafana's data source configuration. When this feature is enabled on a data source, the system maintains a context of the most recently authenticated user, which should normally be restricted to the authenticated user's own data access. However, the flaw allows API token-based requests to effectively impersonate this most recently logged-in user, regardless of the token holder's actual authorization level. This occurs because the system fails to properly validate whether the API token holder should be permitted to access the forwarded user context, creating an authorization gap where the token's scope is expanded beyond its intended boundaries. The vulnerability is classified under CWE-284, which addresses improper access control, and specifically relates to inadequate privilege management within the authentication flow.
The operational impact of CVE-2022-21673 extends far beyond simple data exposure, as it can enable attackers to access sensitive monitoring data, system metrics, and operational insights that should be restricted to authorized personnel only. Organizations using Grafana for infrastructure monitoring, security operations, and business intelligence may find that their entire monitoring ecosystem becomes compromised, potentially exposing critical system information, network topology data, or performance metrics that could aid in further attacks. The vulnerability's exploitation requires multiple conditions to be met, including the presence of data sources with Forward OAuth Identity enabled, active OAuth configuration, and valid API keys, but once these prerequisites are satisfied, the impact can be severe. This aligns with ATT&CK technique T1566.001, which involves credential access through the exploitation of authentication mechanisms, and T1071.004, which covers application layer protocol usage for data exfiltration.
Mitigation strategies for this vulnerability should focus on immediate remediation through version updates to 7.5.13 or 8.3.4, which contain the necessary patches to address the authorization bypass. Organizations should also implement comprehensive configuration reviews to disable the Forward OAuth Identity feature on data sources where it is not strictly required, particularly for data sources that may be accessed through API tokens. Additional protective measures include implementing more granular API key permissions, regularly auditing access logs for unusual patterns, and establishing monitoring for unauthorized data access attempts. Security teams should also consider implementing network segmentation to limit access to Grafana instances, particularly those with elevated privileges or access to sensitive monitoring data. The vulnerability highlights the importance of proper authentication context management and demonstrates how seemingly benign features can become security risks when not properly isolated from different authentication mechanisms within the same system.