Unpatched Grafana Instances Expose Infrastructure to Account Takeover Attacks
More than 46,000 internet-facing Grafana instances remain unpatched against a recently disclosed vulnerability that could allow remote attackers to hijack user sessions, modify credentials, and execute arbitrary JavaScript in user browsers. The bug, tracked as CVE-2025-4123, was responsibly disclosed by security researcher Alvaro Balada and addressed in security patches released by Grafana Labs on May 21.
Despite the availability of these patches, a large portion of the ecosystem has yet to apply them, according to a new analysis from OX Security, which dubbed the flaw “The Grafana Ghost.”
“We found 128,864 Grafana instances online, with 46,506 still vulnerable to the attack,” OX Security told BleepingComputer, adding that this equates to 36% of all accessible deployments.
Exploitation Possible with Just One Malicious Click
The vulnerability hinges on client-side open redirect behavior and path traversal that enables attackers to trick users into loading malicious Grafana plugins. When a user with an active session clicks on a specially crafted URL, the attacker can:
- Execute arbitrary JavaScript in the victim’s browser
- Hijack session tokens
- Change account credentials
- In some configurations, launch server-side request forgery (SSRF) attacks
- Modify email addresses to facilitate password reset hijacking
The exploit does not require elevated privileges, and works even when anonymous access is enabled—a default setting in many Grafana deployments. Although Grafana’s Content Security Policy (CSP) offers limited protection, OX Security demonstrated that the bug can bypass modern browser routing logic and URL normalization, rendering CSP ineffective in this context.
The Exploit Surface Is Wide—and Easy to Miss
The attack requires specific conditions—namely user interaction (clicking a crafted link), an active session, and the plugin feature enabled. But since the plugin system is enabled by default and Grafana is widely used in IT monitoring, infrastructure visualization, and DevOps dashboards, the exposure remains serious.
Security researchers warn that the combination of low complexity, wide deployment, and minimal prerequisites makes this a high-risk issue for many enterprises.
Patch Recommendations and Versions to Upgrade
Grafana Labs has released security-fixed versions that address CVE-2025-4123. Administrators are strongly advised to upgrade to any of the following:
- 10.4.18+security-01
- 11.2.9+security-01
- 11.3.6+security-01
- 11.4.4+security-01
- 11.5.4+security-01
- 11.6.1+security-01
- 12.0.0+security-01
Enterprises are also encouraged to audit their Grafana configurations and review session management and plugin permissions to minimize risk.
The Enterprise Response: Securing Monitoring Infrastructure
As open-source monitoring platforms like Grafana continue to serve as critical backend infrastructure in global enterprises, the security of these systems cannot be treated as an afterthought. Even a single overlooked vulnerability can become a gateway for data breaches, internal resource exposure, and identity compromise.
The Grafana Ghost incident is a timely reminder that systems handling internal metrics and dashboards must be isolated, patched promptly, and backed by resilient infrastructure.
Safeguard Against Exploits with Immutable and Air-Gapped Backup
Enterprise environments depend on monitoring systems like Grafana to ensure business continuity. When these systems are compromised, it’s not just uptime at stake—but your entire visibility into operations.
If you’re looking to strengthen your defenses, check out this enterprise-grade option built specifically for resilience:
StoneFly DR365 for Veeam—a fully air-gapped, immutable backup and recovery appliance trusted by large organizations to ensure operational continuity even during sophisticated cyberattacks.
