Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defined in the base YAML file are exposed at /-/config and metrics instance configs defined for the scraping service are exposed at /agent/api/v1/configs/:key. Inline secrets will be exposed to anyone being able to reach these endpoints. If HTTPS with client authentication is not configured, these endpoints are accessible to unauthenticated users. Secrets found in these sections are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. This does not apply for non-inlined secrets, such as *_file based secrets. This issue is patched in Grafana Agent versions 0.20.1 and 0.21.2. A few workarounds are available. Users who cannot upgrade should use non-inline secrets where possible. Users may also desire to restrict API access to Grafana Agent with some combination of restricting the network interfaces Grafana Agent listens on through http_listen_address in the server block, configuring Grafana Agent to use HTTPS with client authentication, and/or using firewall rules to restrict external access to Grafana Agent's API.
CVE-2021-41090
This medium-severity CVE scores 6.5 under NVD CVSS v3. EPSS exploit probability: 0.8%, top 26% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 6.5
- EG Score
- 6.5(medium)
- EPSS
- 50.1%
- KEV
- Not listed
Published
December 8, 2021
Last Modified
November 21, 2024
References (12)
- security-advisories@githubhttps://github.com/grafana/agent/commit/af7fb01e31fe2d389e5f1c36b399ddc46b412b21
- security-advisories@githubhttps://github.com/grafana/agent/pull/1152
- security-advisories@githubhttps://github.com/grafana/agent/releases/tag/v0.20.1
- security-advisories@githubhttps://github.com/grafana/agent/releases/tag/v0.21.2
- security-advisories@githubhttps://github.com/grafana/agent/security/advisories/GHSA-9c4x-5hgq-q3wh
- security-advisories@githubhttps://security.netapp.com/advisory/ntap-20211229-0004/
- af854a3a-2127-422b-91ae-364da2661108https://github.com/grafana/agent/commit/af7fb01e31fe2d389e5f1c36b399ddc46b412b21
- af854a3a-2127-422b-91ae-364da2661108https://github.com/grafana/agent/pull/1152
- af854a3a-2127-422b-91ae-364da2661108https://github.com/grafana/agent/releases/tag/v0.20.1
- af854a3a-2127-422b-91ae-364da2661108https://github.com/grafana/agent/releases/tag/v0.21.2
- af854a3a-2127-422b-91ae-364da2661108https://github.com/grafana/agent/security/advisories/GHSA-9c4x-5hgq-q3wh
- af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20211229-0004/
Affected Packages
(1 across 1 ecosystem)
Go(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| github.com/grafana/agent | — | 0.21.2 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 9× in last 7d / 49× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-09 19:07 UTCEPSS rescore
- 2026-07-08 15:12 UTCEPSS rescore
- 2026-07-07 13:43 UTCEPSS rescore
- 2026-07-06 16:25 UTCEPSS rescore
- 2026-07-06 16:25 UTCEPSS rescore
- 2026-07-06 02:21 UTCEPSS rescore
- 2026-07-06 02:21 UTCEPSS rescore
- 2026-07-05 02:28 UTCEPSS rescore
- 2026-07-05 02:28 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-02 16:57 UTCEPSS rescore
- 2026-07-01 15:04 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 03:30 UTCOSV refresh
- 2026-06-28 14:05 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
Show 59 moreShow fewer
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-12 15:10 UTCOSV refresh
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 06:41 UTCEG score recompute
Related CVEs(same CWE)
Same CWE
10 shownCWE-312 · CWE-200
Frequently asked(5)
What is CVE-2021-41090?
When was CVE-2021-41090 disclosed?
Is CVE-2021-41090 actively exploited?
What is the CVSS score of CVE-2021-41090?
How do I remediate CVE-2021-41090?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-41090
Is Your Infrastructure Affected by CVE-2021-41090?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.