CVE-2025-12141

LOW EPSS 16.8%

Published Apr 15, 20262mo ago · Modified Jun 17, 20261w ago

1.3 CVSS 4.0

Low

Published Apr 15, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.

CVSS Details

Base Score

1.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope N

Threat Intelligence

EPSS Exploit Probability

16.8% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 1

Vendor	Product	Version	Range
grafana	grafana	*	≥8.0.0 – ≤12.3.0

References 1

grafana.com https://grafana.com/security/security-advisories/cve-2025-12141/

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.