Platform
grafana
Component
grafana
Fixed in
12.3.1
CVE-2025-12141 is a security vulnerability in Grafana Alerting that allows users with specific permissions to modify contact points created by others. This manipulation can lead to the extraction of sensitive credentials, such as Slack tokens, from third-party services. The vulnerability impacts Grafana Alerting versions 8.0.0 through 12.3.0, and a fix is available in version 12.3.1.
The core of this vulnerability lies in the ability of users with the 'Contact Point Writer' role to alter the endpoint URL associated with a contact point. This role is granted to users with 'alert.notifications:write' or 'alert.notifications.receivers:test' permissions, which are part of the 'Editor' role. By redirecting the endpoint URL to a server controlled by an attacker, they can trigger the 'test' functionality of the contact point. This test functionality, designed to verify the connection to third-party services, inadvertently exposes redacted secure settings, including authentication tokens. The potential impact is significant, as attackers can gain unauthorized access to systems and data integrated with Grafana Alerting, such as Slack, PagerDuty, or email servers. Data at risk includes sensitive information transmitted through these services, and lateral movement within the organization is possible if the compromised credentials grant access to other systems.
CVE-2025-12141 was publicly disclosed on 2026-04-15. There is currently no indication of active exploitation in the wild, but the availability of a public proof-of-concept could change this. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Public proof-of-concept code is expected to emerge, increasing the risk of exploitation.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
The primary mitigation for CVE-2025-12141 is to upgrade Grafana Alerting to version 12.3.1 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider restricting the 'Contact Point Writer' role to only trusted users. Review existing contact point configurations to identify any suspicious or unauthorized endpoints. Implement a Web Application Firewall (WAF) to monitor and block requests to unusual or unexpected endpoints within the Grafana Alerting system. Monitor Grafana Alerting logs for any unusual activity, such as failed connection attempts or unexpected endpoint requests. Consider implementing multi-factor authentication (MFA) for users with elevated privileges to further reduce the risk of unauthorized access.
Update Grafana to version 12.3.1 or later to mitigate the vulnerability. This update fixes the issue by restricting the ability of users to edit the destinations of webhooks created by other users, thus preventing unauthorized access to sensitive configurations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12141 is a vulnerability in Grafana Alerting allowing users with 'Contact Point Writer' permissions to modify contact point URLs and potentially extract credentials.
If you are running Grafana Alerting versions 8.0.0 through 12.3.0, you are potentially affected by this vulnerability.
Upgrade Grafana Alerting to version 12.3.1 or later to remediate the vulnerability. Restricting 'Contact Point Writer' roles is a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability is considered a medium risk due to the potential for exploitation.
Refer to the official Grafana security advisory for detailed information and updates: [https://grafana.com/security/advisories/CVE-2025-12141](https://grafana.com/security/advisories/CVE-2025-12141)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.