
A newly discovered vulnerability in Grafana, the popular open-source analytics and monitoring tool, is putting thousands of organizations at serious risk of account takeover attacks. According to cybersecurity researchers at Ox Security, over one-third of public-facing Grafana instances are affected by a critical cross-site scripting (XSS) flaw, officially identified as CVE-2025-4123.
Grafana
Grafana is widely used by DevOps engineers, system administrators, and developers to monitor system performance, visualize metrics, and manage infrastructure logs. It plays a key role in observability for cloud-native and on-premise environments.
However, its popularity has also made it a valuable target for cyber attackers looking to exploit vulnerabilities and gain access to sensitive data or internal systems.
Grafana Vulnerability (CVE-2025-4123)
The flaw, discovered and patched in May 2025, is being called the “Grafana Ghost” by security researchers. It is a high-severity XSS vulnerability that can be triggered through a combination of:
Client path traversal
Open redirect
The National Vulnerability Database (NVD) explains that the flaw allows attackers to redirect users to malicious websites. These sites may host fake frontend plugins designed to execute arbitrary JavaScript code on behalf of the user. Critically, the flaw:
Does not require editor-level permissions
Works even if anonymous access is enabled
Can lead to full read Server-Side Request Forgery (SSRF) if the Grafana Image Renderer plugin is installed
Ox Security has detailed how the attack chain functions. It begins with the attacker sending a malicious link to the victim. When the link is clicked, it instructs the Grafana instance to load an external plugin that is hosted on the attacker’s server.
Once this malicious plugin is loaded, it can:
Run any JavaScript code on behalf of the user
Change the victim’s Grafana username and login email
Redirect the victim to internal services or dashboards
Reset the user’s password using the attacker-controlled email address
This essentially gives the attacker full access to the victim’s Grafana account, allowing them to view, modify, or delete sensitive performance and infrastructure data.
Ox Security’s research found that over 46,000 publicly accessible Grafana instances are still unpatched and vulnerable to this XSS flaw. That’s about 36% of all Grafana servers connected to the internet.
But the danger doesn’t stop there.
Grafana instances that are not connected to the internet—those running locally or in private cloud environments—can also be targeted. By crafting a special payload using the locally used domain name and port, attackers can exploit these internal systems too.

Grafana is often deeply integrated into an organization’s DevOps pipeline, providing visibility into infrastructure health, cloud resources, and application performance. A successful attack can have serious consequences, such as:
Loss of sensitive operational data
Disruption to monitoring systems
Delayed response to infrastructure outages
Unauthorized access to internal services
Full account takeover and lockout of authorized users
Organizations may lose visibility into critical systems, resulting in downtime, data breaches, or compliance violations.
What To Do?
1. Patch Immediately
The most important step is to update Grafana to the latest version, which contains a fix for CVE-2025-4123. Grafana Labs released patches in May 2025, and organizations should apply them without delay.
2. Disable Anonymous Access
If not absolutely required, disable anonymous access to prevent attackers from exploiting the flaw without credentials.
3. Review and Monitor Plugins
Check for unauthorized or suspicious plugins and ensure only trusted plugins are installed from verified sources.
4. Apply Security Best Practices
Restrict access to Grafana dashboards using firewalls or VPNs
Monitor for unusual changes in usernames or email addresses
Enable two-factor authentication (2FA) for all users
Regularly audit user permissions and system logs
5. Scan for Exploitation Attempts
Use vulnerability scanning tools to detect unpatched instances and look for signs of exploitation in server logs.
This XSS vulnerability in Grafana is a critical wake-up call for DevOps and security teams. Even trusted open-source tools can contain severe flaws that could be exploited at scale. With over 46,000 Grafana servers already exposed, it is crucial for organizations to act fast, patch their systems, and review their security posture.
Failing to address this issue could lead to account takeovers, data leaks, and operational disruptions—risks that no modern enterprise can afford.
Interesting Article : Apple Patches Zero-Click iMessage Flaw Exploited to Spy on Journalists
Pingback: TP-Link Router Vulnerability CVE-2023-33538 Under Active Attack, Warns CISA