Article updated with a statement from Grafana Labs.
Cybersecurity researchers at the firm Noma Security have identified a serious vulnerability named GrafanaGhost. This flaw affects Grafana, a popular software platform that many companies use as a central hub to monitor their financial metrics, infrastructure health, and private customer information.
For context, Grafana acts like a central nervous system for an organisation’s most sensitive data, making this discovery particularly concerning for businesses.
The vulnerability allows attackers to bypass security protections and secretly move private data from a company’s environment to an external server. And, this happens without the user ever knowing. Unlike traditional scams that require a person to click a suspicious link, GrafanaGhost operates autonomously.
According to the Noma threat research team, the attack is triggered in the background as soon as the system processes a malicious instruction, leaving no obvious trace for security teams to follow.
How the Ghost Attack Operates
As per Noma’s investigation, the attack utilizes Indirect Prompt Injection; this involves hiding instructions within data that the software’s AI components process. The hackers trick the system into ignoring its own safety rules by using specific keywords like error, errorMsgs, and INTENT to confuse the AI model.
The research further explains that the attack follows a specific, silent path where hackers first craft a specific web path using query parameters that look legitimate to the software but actually allow access to environments where the attacker has no rights. From there, they move to bypass the platform’s security.
Grafana has a security function meant to stop it from loading images from untrusted external websites. However, Noma’s investigation revealed a flaw in the JavaScript code. By using a legacy developer trick called protocol-relative URLs (using the // format), the hackers can fool the software into thinking the link is a safe internal path.
When the AI tries to display what it thinks is a normal image, it sends a request to the hacker’s server, and the sensitive business data is hooked onto that request as a URL parameter.
A Hidden Threat
It is worth noting that this attack is almost invisible. “The victim would have no idea anything was wrong,” researchers noted, because there is no “Access Denied” screen or broken code to alert the IT department. To a normal observer, the software appears to be functioning perfectly while the data is being sent to the hackers in real-time.
This discovery follows Noma’s team’s previous work on other vulnerabilities like GeminiJack and DockerDash. They found that by combining several small weaknesses, they could achieve “automatic data exfiltration with zero user interaction.”
This means that even when content security policies are in place, hackers can find ways around them by targeting how AI processes information, and AI security requires much more than standard client-side validation and content security policies.
Grafana Labs’ Response
Grafana Labs has pushed back on the characterization of the reported issue, stating that while a flaw in the Markdown image renderer was identified and promptly patched following a report from Noma Labs, it did not amount to a zero-click or autonomous exploit.
According to Grafana’s CISO Joe McManus, any successful abuse would have required substantial user involvement, including repeatedly directing the AI assistant to act on malicious instructions embedded in logs, even after being warned about them.
The company emphasized that there is no evidence the vulnerability was exploited in the wild and confirmed that no data was exposed from Grafana Cloud, framing the issue as a constrained, user-driven scenario rather than a silent AI-powered attack.
Grafana Labs thanks Noma Labs for their bug report, which mentioned an issue with image renderer in our Markdown component. While there was not a reasonable way to trigger an exploit of this, it did highlight one issue that was quickly patched.”
“We take security research seriously and remain committed to protecting our users. However, we must dispute the claim that this finding constitutes either a “zero-click” attack or that it could operate silently, autonomously, or in the background. Any successful execution of this exploit would have required significant user interaction: specifically, the end user would have to repeatedly instruct our AI assistant to follow malicious instructions contained in logs, even after the AI assistant made the user aware of the malicious instructions. We emphasize that there is no evidence of this bug having been exploited in the wild, and no data was leaked from Grafana Cloud.”
Joe McManus, CISO, Grafana Labs
Industry Expert Perspectives
In comments shared with Hackread.com, industry experts provided differing views on the impact of this discovery. Ram Varadarajan, CEO at Acalvio, noted that GrafanaGhost shows how AI integration creates a “massive security blind spot.”
He explained that because this method bypasses traditional defences without needing credentials, “it allows attackers to silently exfiltrate sensitive operational telemetry… disguised as routine image renders.” To stay safe, he suggests teams “shift from monitoring what an agent is told to performing runtime behavioural monitoring of what it actually does.”
On the other hand, Bradley Smith, SVP, Deputy CISO at BeyondTrust, suggested the findings might be “mostly hype” for well-protected companies. He noted that while the threat is real, its success depends on how a company has set up its network. “What’s less clear here is the practical exploitability against a hardened Grafana deployment with standard enterprise network controls,” Smith shared.
