Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

Affected Packages

Go github.com/grafana/grafana

Affected versions: 11.1.0 (fixed in 11.1.1)

Go github.com/grafana/grafana

Affected versions: 11.1.2 (fixed in 11.1.3)

Go github.com/grafana/grafana

Affected versions: 0.0.0-20240521130516-0072e4a92d89 (fixed in 0.0.0-20240725142242-c326d865c58b)

Related CVEs

CVE-2024-6322

Key Information

GHSA ID

GHSA-hh8p-374f-qgr5

Published

August 20, 2024 6:31 PM

Last Modified

June 24, 2025 4:59 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/grafana/grafana

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.