Plattform
grafana
Komponente
grafana
Behoben in
12.3.1
CVE-2025-12141 affects Grafana Alerting versions 8.0.0 through 12.3.0. An attacker with edit permissions on contact points can manipulate the endpoint URL and extract sensitive authentication credentials, such as Slack tokens, from third-party services. This vulnerability allows unauthorized access and potential data breaches. The issue is resolved in version 12.3.1, and users are strongly advised to upgrade.
The primary impact of CVE-2025-12141 is the potential exposure of sensitive authentication credentials used by Grafana Alerting to interact with external services. An attacker could modify a contact point's endpoint URL to point to a server they control. By triggering the test functionality of the contact point, the attacker can then capture the redacted secure settings, including tokens, API keys, or passwords. Successful exploitation could lead to unauthorized access to the targeted third-party services, such as Slack, PagerDuty, or email providers. This could result in data breaches, unauthorized actions within those services, and potential lateral movement within the affected organization.
Exploitation context for CVE-2025-12141 is currently limited. No public exploits have been reported, and the vulnerability is not listed on KEV or EPSS. The NVD and CISA published the CVE on 2026-04-15. The probability of exploitation is considered low given the lack of public information, but the potential impact warrants prompt remediation.
Organizations using Grafana Alerting with a large number of users who have 'Editor' or 'Contact Point Writer' roles are particularly at risk. Shared hosting environments where multiple users share access to Grafana Alerting instances are also vulnerable, as an attacker could potentially compromise the entire environment through a single user account. Legacy Grafana Alerting deployments that have not been regularly updated are also at increased risk.
• grafana: Examine Grafana Alerting logs for requests to unexpected or suspicious endpoints.
grep 'test_notification_url' /var/log/grafana/alerting.log• linux / server: Monitor system logs for unusual network connections originating from the Grafana Alerting process.
journalctl -u grafana --grep 'test_notification_url'• generic web: Use curl to check for the existence of potentially malicious endpoints.
curl -I https://<grafana_url>/plugin/alerting/contact-points/testdisclosure
patch
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-12141 is to upgrade Grafana Alerting to version 12.3.1 or later. Prior to upgrading, review existing contact point configurations to identify any suspicious or unauthorized modifications. Implement strict access controls to limit the number of users with 'alert.notifications:write' or 'alert.notifications.receivers:test' permissions. Consider using a Web Application Firewall (WAF) to filter requests to the alerting endpoint and block suspicious patterns. Monitor Grafana Alerting logs for any unusual activity related to contact point testing or modifications. After upgrading, confirm the fix by attempting to modify a contact point and verifying that the test functionality no longer exposes sensitive credentials.
Actualice Grafana a la versión 12.3.1 o posterior para mitigar la vulnerabilidad. Esta actualización corrige el problema al restringir la capacidad de los usuarios para editar los destinos de webhook creados por otros usuarios, previniendo así el acceso no autorizado a configuraciones sensibles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-12141 is a vulnerability in Grafana Alerting allowing users with 'Contact Point Writer' permissions to modify contact point URLs and potentially extract credentials.
If you are running Grafana Alerting versions 8.0.0 through 12.3.0, you are potentially affected by this vulnerability.
Upgrade Grafana Alerting to version 12.3.1 or later to remediate the vulnerability. Restricting 'Contact Point Writer' roles is a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability is considered a medium risk due to the potential for exploitation.
Refer to the official Grafana security advisory for detailed information and updates: [https://grafana.com/security/advisories/CVE-2025-12141](https://grafana.com/security/advisories/CVE-2025-12141)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.