CVE-2022-36062 in Grafana
Summary
by MITRE • 09/22/2022
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/04/2025
The vulnerability identified as CVE-2022-36062 represents a critical privilege escalation issue within Grafana's access control mechanisms, specifically affecting versions prior to 8.5.13, 9.0.9, and 9.1.6. This flaw manifests in the improper preservation of permissions during the transition from legacy access control to Role-Based Access Control (RBAC) implementations. The vulnerability stems from Grafana's handling of folder permissions when the system transitions from a state where RBAC was disabled to one where it is enabled. When administrators disable RBAC and subsequently re-enable it, the system's migration process fails to properly account for scenarios where the only existing permission for a folder is the Admin role, creating a dangerous permission drift that undermines the security model.
The technical flaw operates through Grafana's legacy permission migration logic which does not adequately consider edge cases in permission inheritance. When RBAC is re-enabled, the system attempts to translate existing legacy folder permissions into the new RBAC framework, but it fails to recognize that in certain folders where only Admin permissions exist, the migration process incorrectly introduces Editor and Viewer permissions. This misconfiguration results in unauthorized users gaining unintended access to folder contents, potentially allowing them to edit or view sensitive data that should remain restricted to administrators only. The vulnerability specifically impacts environments where the transition from legacy to RBAC occurs while maintaining existing folder structures and permissions, creating a scenario where the migration process introduces new permissions without proper consideration of the original access control state.
The operational impact of this vulnerability is significant for organizations relying on Grafana for monitoring and observability, as it creates potential pathways for unauthorized privilege escalation and data exposure. Attackers who can manipulate folder permissions or gain access to systems where this vulnerability exists could potentially escalate their privileges from Editor or Viewer roles to administrative levels within specific folders. This issue particularly affects organizations that have migrated from older Grafana versions where RBAC was not fully implemented, or those that have disabled RBAC for operational reasons and later re-enabled it. The vulnerability creates a persistent security risk that could allow for unauthorized data modification, viewing of sensitive dashboards, or potential lateral movement within the monitoring infrastructure, as the affected folders may contain critical operational data or system metrics.
Organizations should immediately upgrade to patched versions 8.5.13, 9.0.9, or 9.1.6 to remediate this vulnerability, as the workaround of manually removing additional permissions is only a temporary solution that does not address the underlying migration flaw. The mitigation strategy should include comprehensive review of all folder permissions following any RBAC re-enablement process, particularly focusing on folders that may have been created or modified during periods when RBAC was disabled. System administrators should implement automated monitoring for permission changes and establish regular audits of folder access controls to detect any unauthorized modifications that may result from similar migration issues. This vulnerability aligns with CWE-284 which addresses improper access control, and represents a specific implementation weakness in RBAC permission handling that could be exploited through the ATT&CK technique of privilege escalation by abuse of permissions. Organizations should also consider implementing additional security controls such as privileged access management solutions and regular security assessments to prevent similar issues from occurring in other monitoring and observability platforms.