Description

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Remediation

References

CVE-2026-21724

Related Vulnerabilities

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2025-43802)

Dot CMS Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2016-8907)

MySQL CVE-2024-21173 Vulnerability (CVE-2024-21173)

Liferay DXP Use of Password Hash With Insufficient Computational Effort Vulnerability (CVE-2024-25607)

WordPress Plugin Mail Queue Cross-Site Scripting (1.1)

Severity

Medium

Classification

CVE-2026-21724 CWE-285 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Tags

Missing Update Known Vulnerabilities