CVE-2023-4822 - **Grafana Multi-Tenant Permission Escalation Exploit Explained

Grafana is one of the most popular open-source platforms for analytics, monitoring, and visualization. It helps organizations set up dashboards, alerts, and reporting, and is widely used by DevOps, engineers, and administrators all over the world.

But in August 2023, a serious privilege escalation vulnerability was discovered in Grafana. This issue—CVE-2023-4822—affects Grafana installations with multiple organizations. In this article, we’ll break down what this vulnerability is, how it works, see a code example, and explain what you can do to stay safe. Because this exploit could let one admin take full control of other organizations’ permissions, it’s a big deal for multi-tenant setups!

Vulnerability Summary

CVE-2023-4822 lets a user who has the “Organization Admin” role in one organization (Org) change the core permissions (like who is admin, editor, or viewer) for all organizations in the whole Grafana server. Even worse, that admin can give themselves (or other users) higher permissions everywhere they have membership.

In simpler terms: if you’re an Org Admin in Org A, you can mess with role permissions in Org B, C, D, and so on—even if you’re only a member of Org A.

What you can do with this vulnerability

- As an Org Admin, you can change the permissions of key roles (Admin/Editor/Viewer) in *all* organizations on your instance.
- You can grant or remove *any* permissions to yourself or any other user—for any org you’re already part of.

Why Is This Dangerous?

Usually, organizations on a shared Grafana server expect that Org Admins only control their own org. With this vulnerability, one Org Admin can accidentally or on purpose take over users, promote themselves, or lock others out across the instance. That breaks the very notion of multi-tenancy.

What causes the bug?

Inside Grafana’s code, the endpoints that handle role permission changes didn’t properly check if an Org Admin should be able to change global org roles. As a result, they were allowed to adjust role bindings outside their own org. All they needed was access to the relevant REST API endpoints.

Realistic Exploit Scenario

Let’s say Grafana has 5 organizations hosted in one instance. Each org has a few members, and each org has its own Org Admin. Bob is Org Admin in Org2.

Bob can

1. Change what “Org Admin” or “Org Editor” means in Org1 (for example, give “Org Editor” the ability to delete users),

Exploitation Example

Let’s see how it can look in practice, using a simple curl command with Grafana’s REST API.

Let’s say you’re logged in as “bob” (an Org Admin in Org2). You want to change Org Admin permissions in Org1 or upgrade permissions in another org where you’re a Viewer.

Grafana exposes a REST API to modify org roles and permissions. The endpoint often looks like this

POST /api/orgs/:orgId/roles/:roleName/permissions

Here’s a hypothetical Python (requests) code snippet showing how someone could abuse this (assume cookie API session authentication already exists):

import requests

base_url = 'https://grafana.example.com';
org_id_to_attack = 3  # Org you want to target
role_name = 'OrgEditor'  # Targeting org editor
session_cookie = {'grafana_session': 'session_id_here'}

# Permissions payload - grant "user:admin" permission!
payload = {
    "permissions": [
        "user:read",
        "user:write",
        "user:admin",
    ]
}

resp = requests.post(
    f"{base_url}/api/orgs/{org_id_to_attack}/roles/{role_name}/permissions",
    json=payload,
    cookies=session_cookie
)

print(resp.status_code, resp.text)

As Org Admin in one org, this lets you alter global roles, giving more power to yourself—or others—in any org where you’re a member. With enough exploitation, you could become super admin everywhere you belong.

Patch & Mitigation

The Grafana team patched this issue quickly. All sites running multi-organization Grafana should upgrade to at least Grafana 8.5.28 or Grafana 9.5.11 (and above). These versions contain the fix.

Link to official security advisory:
https://grafana.com/security/security-advisory/2023-08-25-grafana-privilege-escalation/

It's critical to check your instance, identify Org Admins, and review logs for suspicious role or permission changes.

References

- CVE-2023-4822 MITRE Listing
- Grafana Security Advisory
- Grafana Role and Permission Docs

Conclusion

CVE-2023-4822 shows how a small mistake in permission checks can quickly snowball into a major multi-tenant problem. If you run a Grafana instance with multiple orgs, upgrading is not optional—it's urgent.

For any shared Grafana, keep a close eye on role management and never assume each org’s admin is truly isolated. One vulnerable admin can lead to all orgs being at risk.

Timeline

Published on: 10/16/2023 09:15:00 UTC
Last modified on: 10/20/2023 18:30:00 UTC