GHSA-7cfp-pmw3-4j7rHighCVSS 8.6

A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to...

Published
July 15, 2026
Last Modified
July 15, 2026

🔗 CVE IDs covered (1)

📋 Description

A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud metadata endpoints.

🔗 References (3)