Description
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.
Remediation
References
Related Vulnerabilities
Hiawatha CVE-2025-57784 Vulnerability (CVE-2025-57784)
OpenSSL NULL Pointer Dereference Vulnerability (CVE-2025-69421)
Oracle Database Server Other Vulnerability (CVE-2007-2130)
SharePoint CVE-2022-29108 Vulnerability (CVE-2022-29108)
Magento Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2019-7854)