Security researchers at Noma Security have disclosed a new vulnerability they are calling GrafanaGhost, an exploit capable of silently stealing sensitive data from Grafana environments by chaining multiple security bypasses, including a method that circumvents the platform’s AI model guardrails without requiring any user interaction.
Grafana is widely deployed across enterprise organizations as a central hub for observability and data monitoring, typically housing real-time financial metrics, infrastructure health data, private customer records, and operational telemetry, among other uses. That concentration of sensitive information is what makes the platform a significant target. GrafanaGhost exploits how Grafana’s AI components process user-controlled input to bridge the gap between a private data environment and an external attacker-controlled server.
The attack requires no login credentials and does not depend on a user clicking a malicious link. It begins when an attacker crafts a specific URL path using query parameters originating outside the victim organization’s environment. Because Grafana handles entry logs, an attacker can gain access to an enterprise environment to which they have no legitimate connection. The attacker then injects hidden instructions that Grafana’s AI processes — a tactic known as prompt injection — using specific keywords to cause the model to ignore its own guardrails.
Grafana has built-in protections designed to prevent prompt injection, but Noma’s researchers found a flaw in the logic underlying that protection — one that could be exploited by formatting a web address in a way that Grafana’s security check misread as safe, while the browser treated it as a request to an external server the attacker controlled. The gap between what the security check believed it was allowing and what actually happened was enough to open the door for the attack.
The final obstacle was the AI model’s own instinct for self-defense. When researchers first attempted to slip malicious instructions past it, the model recognized the pattern and refused. After further study of how the model processed different types of input, they found a specific keyword that caused it to stand down, treating what was effectively an attack instruction as a routine and legitimate request.
With all three bypasses in place, the attack runs on its own. The AI processes the malicious instruction, attempts to load an image from the attacker’s server, and in doing so quietly carries the victim’s sensitive data along with that request in an image tag. The data is gone before anyone in the organization knows a request was ever made.
Noma’s researchers noted that multiple security layers were present in Grafana’s implementation, but each contained its own exploitable weakness. The domain validation logic, the AI model guardrails, and the content security controls all failed when approached in sequence.
Because the exploit is triggered by indirect prompt injection rather than a suspicious link or an obvious intrusion, there is nothing for a user to notice, no access-denied error for an administrator to find, and no anomalous event for a security team to investigate. To a data team, a DevSecOps engineer, or a CISO, the activity is indistinguishable from routine processes.
“The payload sits inside what looks like a legitimate external data source. The exfiltration happens through a channel the AI itself initiates, which looks like normal AI behavior to any observer. Traditional SIEM rules, DLP tools, and endpoint monitoring aren’t designed to interrogate whether an AI’s outbound call was instructed by a user or by an injected prompt,” Sasi Levi, vulnerability research lead at Noma Labs, told CyberScoop. “Without runtime protection that understands AI-specific behavior, monitoring what the model was asked, what it retrieved, and what actions it took, this attack would be effectively invisible.”
The attack is another example of a broader shift in how adversaries are approaching enterprise environments that have integrated AI-assisted features. Rather than exploiting broken application code in the traditional sense, attackers are increasingly targeting weak AI security surfaces and indirect prompt injection methods that allow them to access and extract critical data assets while remaining entirely invisible to the security teams responsible for protecting them.
Noma has found similar issues over the past year, with Levi telling CyberScoop that researchers keep seeing the same fundamental gap: AI features are being bolted onto platforms that were never designed with AI-specific threat models in mind.
“The attack surface isn’t a misconfigured firewall or an unpatched library, rather it is the weaponization of the AI’s own reasoning and retrieval behavior. These platforms trust the content they ingest far too implicitly,” Levi said.
The research is another example of how attackers can weaponize AI in a manner that current defenses cannot keep up with, making it extremely difficult for defenders to keep pace.
“Offensive researchers and, increasingly, sophisticated threat actors are well ahead of most enterprise defenders on this,” Levi said. “The frameworks, detection signatures, and incident response playbooks for AI-native attacks simply don’t exist at scale yet. What gives us some optimism is that awareness is growing quickly, but awareness and readiness are very different things.”
Grafana Labs was notified through responsible disclosure protocols, worked with Noma to validate the findings, and issued a fix.
